SECUI NXG W V2.0 Security Target Date 2009-10-20 Team/Author Product Innovation Team / Y. S. Kim Version V1.3 Classification Public Revision History Version Author Date Description V1.0 Y. S. Kim 2009-08-06 1st draft V1.1 Y. S. Kim 2009-08-20 Update according to EOR-01 V1.2 Y. S. Kim 2009-09-18 TOE description, security objectives, and SFRs changed V1.3 N. Y. Kim 2009-10-20 Version changed according to the TOE version management rules Security Target I Table of Contents Table of Contents ............................................................................I List of Figures ...............................................................................V List of Tables.................................................................................V 1. ST Introduction .......................................................................... 1 1.1. ST Identification .............................................................................................................. 1 1.2. TOE Identification............................................................................................................ 1 1.3. TOE Overview................................................................................................................. 2 1.3.1. Usage of the TOE ................................................................................................. 2 1.3.2. Major security features of the TOE....................................................................... 2 1.3.3. Operational environment of the TOE.................................................................... 3 1.3.3.1. Single TOE configuration............................................................................ 3 1.3.3.2. HA configuration6 1.4. TOE Description.............................................................................................................. 8 1.4.1. Physical scope of the TOE.................................................................................... 8 1.4.2. Logical scope of the TOE.................................................................................... 10 1.4.3. Non-TOE scope .................................................................................................. 14 1.5. Conventions .................................................................................................................. 16 2. Conformance Claims ................................................................. 18 2.1. CC Conformance Claim ................................................................................................ 18 2.2. PP Claim ....................................................................................................................... 18 2.3. Package Claim.............................................................................................................. 18 2.4. Conformance Rationale ................................................................................................ 18 3. Security Problem Definition ....................................................... 20 3.1. Threats .......................................................................................................................... 20 3.2. Organizational Security Policies ................................................................................... 21 3.3. Assumptions.................................................................................................................. 21 4. Security Objectives................................................................... 23 4.1. Security Objectives for the TOE.................................................................................... 23 4.2. Security Objectives for the Operational Environment ............................................................ 24 Security Target II 4.3. Security Objectives Rationale....................................................................................... 25 4.3.1. Rationale for the security objectives for the TOE ............................................... 28 4.3.2. Rationale for the security objectives for the operational environment................ 29 5. Extended Component Definition.................................................. 31 6. Security Requirements .............................................................. 32 6.1. Security Functional Requirements................................................................................ 33 6.1.1. Security Audit (FAU) ........................................................................................... 35 6.1.1.1. FAU_ARP Security audit automatic response.......................................... 35 6.1.1.2. FAU_GEN Security audit data generation................................................ 35 6.1.1.3. FAU_SAA Security audit analysis............................................................. 36 6.1.1.4. FAU_SAR Security audit review............................................................... 37 6.1.1.5. FAU_STG Security audit event storage ................................................... 37 6.1.2. User Data Protection (FDP)................................................................................ 38 6.1.2.1. FDP_IFC Information flow control policy.................................................. 38 6.1.2.2. FDP_IFF Information flow control functions ............................................. 39 6.1.2.3. FDP_SDI Stored data integrity ................................................................. 43 6.1.3. Identification and Authentication (FIA)................................................................ 44 6.1.3.1. FIA_AFL Authentication failures ............................................................... 44 6.1.3.2. FIA_ATD User attribute definition............................................................. 44 6.1.3.3. FIA_UAU User authentication .................................................................. 44 6.1.3.4. FIA_UID User identification ...................................................................... 45 6.1.4. Security Management (FMT).............................................................................. 45 6.1.4.1. FMT_MOF Management of functions in TSF........................................... 45 6.1.4.2. FMT_MSA Management of security attributes ......................................... 46 6.1.4.3. FMT_MTD Management of TSF data....................................................... 48 6.1.4.4. FMT_SMF Specification of management functions.................................. 52 6.1.4.5. FMT_SMR Security management roles ................................................... 52 6.1.5. Protection of the TSF (FPT)................................................................................ 53 6.1.5.1. FPT_FLS Fail secure................................................................................ 53 6.1.5.2. FPT_TEE Testing of external entities ....................................................... 53 6.1.5.3. FPT_TST TSF self test............................................................................. 53 6.1.6. Resource Utilization (FRU)................................................................................. 53 6.1.6.1. FRU_FLT Fault tolerance ......................................................................... 53 6.1.7. TOE Access (FTA) .............................................................................................. 54 6.1.7.1. FTA_SSL Session locking and termination .............................................. 54 Security Target III 6.2. Security Assurance Requirements................................................................................ 54 6.2.1. Security Target Evaluation (ASE) ....................................................................... 55 6.2.1.1. ASE_INT.1 ST introduction....................................................................... 55 6.2.1.2. ASE_ECD.1 Extended components definition.......................................... 55 6.2.1.3. ASE_CCL.1 Conformance claims ............................................................ 56 6.2.1.4. ASE_OBJ.2 Security objectives................................................................ 57 6.2.1.5. ASE_REQ.2 Derived security requirements............................................. 57 6.2.1.6. ASE_SPD.1 Security problem definition................................................... 58 6.2.1.7. ASE_TSS.1 TOE summary specification.................................................. 58 6.2.2. Development (ADV)............................................................................................ 59 6.2.2.1. ADV_ARC.1 Security architecture description ......................................... 59 6.2.2.2. ADV_FSP.4 Complete functional specification......................................... 60 6.2.2.3. ADV_IMP.1 Implementation representation of the TSF............................ 60 6.2.2.4. ADV_TDS.3 Basic modular design........................................................... 61 6.2.3. Guidance Documents (AGD).............................................................................. 62 6.2.3.1. AGD_OPE.1 Operational user guidance.................................................. 62 6.2.3.2. AGD_PRE.1 Preparative procedures ....................................................... 62 6.2.4. Life-Cycle Support (ALC).................................................................................... 63 6.2.4.1. ALC_CMC.4 Production support, acceptance procedures and automation ...... 63 6.2.4.2. ALC_CMS.4 Problem tracking CM coverage ........................................... 64 6.2.4.3. ALC_DEL.1 Delivery procedures.............................................................. 64 6.2.4.4. ALC_DVS.1 Identification of security measures....................................... 65 6.2.4.5. ALC_LCD.1 Developer defined life-cycle model ...................................... 65 6.2.4.6. ALC_TAT.1 Well-defined development tools............................................. 65 6.2.5. Tests (ATE).......................................................................................................... 66 6.2.5.1. ATE_COV.2 Analysis of coverage ............................................................ 66 6.2.5.2. ATE_DPT.2 Testing: security enforcing modules...................................... 66 6.2.5.3. ATE_FUN.1 Functional testing ................................................................. 67 6.2.5.4. ATE_IND.2 Independent testing – sample ............................................... 67 6.2.6. Vulnerability Assessment (AVA).......................................................................... 68 6.2.6.1. AVA_VAN.3 Focused vulnerability analysis.............................................. 68 6.3. Security Requirements Rationale ................................................................................. 69 6.3.1. Security functional requirements rationale ......................................................... 69 6.3.2. Security assurance requirements rationale ........................................................ 75 6.4. Dependencies rationale ................................................................................................ 75 6.4.1. Dependencies between the SFRs ...................................................................... 75 Security Target IV 6.4.2. Dependencies between the SARs...................................................................... 76 7. TOE summary specification........................................................ 77 7.1. Security Audit (SW_AUDIT) .......................................................................................... 77 7.1.1. Audit record generation (SW_AUDIT_GEN)....................................................... 77 7.1.2. Audit record review (SW_AUDIT_REVIEW)....................................................... 79 7.1.3. Audit record protection (SW_AUDIT_PROTECT) .............................................. 80 7.2. Identification and Authentication (SW_INA).................................................................. 80 7.2.1. Administrator group generation and administrator registration (SW_INA_REGISTER) .. 80 7.2.2. Administrator identification and authentication (SW_INA_AUTH)...................... 81 7.3. User Data Protection (SW_DP)..................................................................................... 81 7.3.1. Web server attack protection (SW_DP_AP)....................................................... 82 7.3.1.1. Web server data learning (SW_DP_AP_LEARN) .................................... 82 7.3.1.2. Web server data protection (SW_DP_AP_PROTECT)............................ 83 7.3.1.3. Service contents protection (SW_DP_AP_CONTENTS) ......................... 85 7.3.2. Packet filtering (SW_DP_PF) ............................................................................. 86 7.4. Security Management (SW_MAN)................................................................................ 87 7.4.1. Management of security functions (SW_MAN_FUN) ......................................... 87 7.4.2. Management of security attributes (SW_MAN_ATTR)....................................... 88 7.4.3. Management of TSF data (SW_MAN_DATA)..................................................... 89 7.4.3.1. Management of TSF data (SW_MAN_DATA_ADMIN)............................. 89 7.4.3.2. Management of limits on TSF data (SW_MAN_DATA_LIMIT)................. 91 7.4.4. Security management roles (SW_MAN_ROLE)................................................. 91 7.5. Protection of the TSF (SW_PT) .................................................................................... 92 7.5.1. TSF data integrity check and action (SW_PT_CHK).......................................... 92 7.5.2. External entity testing SW_PT_CHK) ................................................................. 92 7.5.3. Maintenance of secure state and session management (SW_PT_AVAILABILITY)........ 93 7.5.4. HA function (SW_PT_HA)................................................................................... 93 8. Annex...................................................................................... 95 8.1. Glossary and Abbreviation ............................................................................................ 95 8.2. Reference.................................................................................................................... 103 Security Target V List of Figures Figure 1-1 Router mode ................................................................................................................ 4 Figure 1-2 Bridge mode(Transparent)........................................................................................... 5 Figure1-3 Transparent router mode .............................................................................................. 6 Figure 1-4 HA(Active-Standby) mode............................................................................................ 6 Figure 1-5 HA(Active-Active) mode............................................................................................... 7 Figure 1-6 Physical scope of the TOE........................................................................................... 8 Figure 1-7 Logical scope of the TOE........................................................................................... 10 Figure 8-1 RMI XLRTM Processor Family .................................................................................. 100 List of Tables Table 1-1 Requirements for Installation of CLI/GUI Administrator Console ................................ 14 Table 1-2 Configuration of the TOE............................................................................................. 15 Table 3-1 Threats to the TOE ...................................................................................................... 20 Table 3-2 Organizational Security Policies.................................................................................. 21 Table 3-3 Assumptions ................................................................................................................ 21 Table 4-1 Security Objectives for the TOE .................................................................................. 23 Table 4-2 Security Objectives for the Operational Environment ................................................. 24 Table 4-3 Mappings between Security Problem Definition and Security Objectives................... 26 Table 6-1 Subjects, Objects, Related Security Attributes, and Operations ................................. 32 Table 6-2 Security Functional Requirements .............................................................................. 33 Table 6-3 Auditable Events.......................................................................................................... 35 Table 6-4 Audit Event of Information Flow Control Rule Violation............................................... 36 Table 6-5 Audit Review Criteria ................................................................................................... 37 Table 6-6 Actions to be Taken Upon Detection of an Integrity Error ........................................... 43 Table 6-7 List of Functions(1)...................................................................................................... 45 Table 6-8 List of Functions(2)...................................................................................................... 46 Table 6-9 List of Functions(3)...................................................................................................... 46 Security Target VI Table 6-10 Management of Security Attributes(1)....................................................................... 47 Table 6-11 Management of Security Attributes(2) ....................................................................... 47 Table 6-12 Management of Security Attributes(3)....................................................................... 47 Table 6-13 Management of Security Attributes(4)....................................................................... 48 Table 6-14 List of TSF Data(1) .................................................................................................... 49 Table 6-15 List of TSF Data(2) .................................................................................................... 49 Table 6-16 List of TSF Data(3) .................................................................................................... 50 Table 6-17 List of TSF Data(4) .................................................................................................... 50 Table 6-18 List of TSF Data(5) .................................................................................................... 51 Table 6-19 Actions in Case of Reached or Exceeded TSF Data Limits ...................................... 51 Table 6-20 Security Assurance Requirements: EAL4 ................................................................. 54 Table 6-21 Mapping SFRs to the Security Objectives................................................................. 69 Table 7-1 Allowed Transaction Log Fields................................................................................... 78 Table 7-2 Denied Transaction Log Fields.................................................................................... 78 Table 7-3 IP Firewall Log Fields .................................................................................................. 78 Table 7-4 Audit Log(Configuration Log) Fields............................................................................ 78 Table 7-5 System Log Fields....................................................................................................... 79 Table 7-6 Target of Potential Violation Analysis........................................................................... 79 Table 7-7 Audit Event of Information Flow Control Rule Violation............................................... 79 Table 7-8 Audit Review Criteria ................................................................................................... 80 Table 7-9 Cookie Policy: Data Protection Policy ......................................................................... 83 Table 7-10 Cookie Policy: Data Security Policy .......................................................................... 84 Table 7-11 List of Management of Security Functions ................................................................ 87 Table 7-12 Management of Security Attributes ........................................................................... 88 Table 7-13 Management of TSF Data ......................................................................................... 89 Table 7-14 Management of Limits on TSF Data and Actions...................................................... 91 Table 7-15 Authorized Administrator Roles ................................................................................. 92 Table 8-1 Main features of XLR Processor Family.................................................................... 100 1. ST Introduction Security Target Confidential 1 1. ST Introduction This Security Target describes the security functionality and evaluation scope of SECUI NXG W V2.0 provided by SECUI.com Corp. and presents the conformance claim, security problem definition, security objectives, security requirements, and TOE summary specification. This ST will be referenced that is defined requirements as secure management of Web application firewall. 1.1. ST Identification File Name ST_SECUI NXG W V2.0_V1.3 ST Title SECUI NXG W V2.0 Security Target Version 1.3 Document History Refer to Revision History Author Youngsik Kim / Product Innovation Team / SECUI.com Corp. Date 18 September 2009 Evaluation Criteria Common Criteria for Information Technology Security Evaluation (CC, Notification no.2009-52 by the MOPAS) CC Version CC V3.1r2 PP Conformance N/A EAL EAL4 Product Type Web application firewall Keywords Command injection, I&A, Web server, Web application, Web application firewall, Web client, information flow control, cookie poisoning, cross site scripting(XSS), heuristics, HTTP header buffer overflow attack, SQL injection, server information cloaking Evaluation Facility Korea System Assurance, Inc. Certification Body IT Security Certification Center, National Intelligence Service 1.2. TOE Identification TOE Identification SECUI NXG W Version V2.0 (Patch version: V2.0.1) Security Target 1.3. TOE Overview 2 Confidential Product Line SECUI NXG 4000W-4C. SECUI NXG 4000W-12C, SECUI NXG 4000W- 12F, SECUI NXG 2000W-4C, SECUI NXG 2000W-12C, SECUI NXG 2000W-12F 1.3. TOE Overview The TOE described in this ST refers to a software-based Web application firewall, which detects and prevents intrusion against the Web application and Web server data on the Web zone. The TOE locates on a point that connects internal and external of Web zone connected to the Internet in order to detect and prevent malicious Web traffic that flows between the internal and external. 1.3.1. Usage of the TOE As in the Table 1-1, TOE operational environment is comprised of SECUI NXG 4000W product line (SECUI NXG 4000W-4C, SECUI NXG 4000W-12C, SECUI NXG 4000W-12F) and SECUI NXG 2000W product line (SECUI NXG 2000W-4C, SECUI NXG 2000W-12C, SECUI NXG 2000W-12F). The TOE locates on the connection point of external and internal of the Web zone connected to the Internet and protects the Web traffic that the network firewall fails to protect from external unauthorized attack. It also supports SSL communication between the Web server and Web client, which consequently will decrease the load on the server and provide services more than faster. After installed, the TOE will be learned Web tree database by heuristics of the Web access patterns on the network. Then it will be allowed only learned heuristics patterns, which provides appropriate countermeasure for an unknown attack (Zero-Day Attack) in possible. It is also performed monitoring the hacking of the Web application and Web server data through the HTTP protocol check and HTML parsing, which ensure from sophisticated intrusion of detection and blocking in real-time. 1.3.2. Major security features of the TOE The TOE provides packet filtering and Web server protection for user data protection. Packet 1. ST Introduction Security Target Confidential 3 filtering allows or denies access of a packet passing through the TOE to the Web server or TOE itself according to the policy defined by an authorized administrator. Packets allowed access will be sent to the TOE Web protection proxy daemon to perform Web server attack protection, which is a basic security function of a Web application firewall, including Web server data heuristics, Web server data protection, and service contents protection. The TOE monitors the requests for Web clients for a defined time to collect Web traffic data (Web server data heuristics) and protects Web server data (Web server data protection). It also prevents corruption of personal information such as SSN or credit card numbers and Web page (Service contents protection). An authorized administrator defines security policies for the Web server attack protection and upon which performs security action on all Web traffic input to the TOE. “Security action” refers to the specific security behaviors performed according to the violations detected by the Web server attack protection. Security behaviors include transferring detected violation to log data (LOG), disconnecting violating traffic (Drop), emailing an administrator, showing a warning page, page redirection, and replacing characters. The TOE also provides functions of I&A, security audit, secure management, and TSF protection: I&A, identification and authentication of an administrator, ensures actions to be taken in case of authentication failure. Secure audit generates, makes log of audit records, and reviews to detect potential security violation and take an action. Security management addresses security functions, security attributes, TSF data, and security roles. TSF protection performs self testing to verify integrity of the TSF data and executable code; tests external entities to maintain secure state; provides a function to manage a session after a specified period of administrator inactivity; and provides HA functionality in case of configuration with more than 2 TOEs, which realizes high availability when one system cannot function normally by making traffic transferred to other active systems. 1.3.3. Operational environment of the TOE The TOE can be installed either in single or HA configuration, which involves more than two TOEs. 1.3.3.1. Single TOE configuration Single TOE configuration includes Router mode, Bridge mode(Transparent), and Transparent router mode. Security Target 1.3. TOE Overview 4 Confidential Router mode is implemented as a general forward proxy type, which gets the address of Web server inside the Web zone to be protected to the TOE and analyzes all Web traffic trying to access the Web server from outside to protect the Web server that is defined as an internal network. Figure 1-1 Router mode Bridge mode(Transparent) is configured in in-line type as a general firewall. The TOE checks Web traffic between the Web client and Web zone. This mode offers network transparency, where a Web server user cannot recognize the TOE, and doesn’t require the network configuration changed. 1. ST Introduction Security Target Confidential 5 Figure 1-2 Bridge mode(Transparent) Transparent router mode is where the TOE operates as a Web proxy; it is recommended that the TOE be installed in the same network bandwidth with the Web server and that the Web server address be changed into the TOE IP address by DNS. When a Web server user requires access to the Web server, the TOE checks the contents and sends it back to the Web server. Result of request will go the opposite direction. In this case, any traffic other than the Web traffic and traffic for administration will not be transferred to the TOE. Security Target 1.3. TOE Overview 6 Confidential Figure1-3 Transparent router mode 1.3.3.2. HA configuration In a HA(Active-Standby) mode, more than 2 TOEs synchronize each other’s updated data and check other systems’ status and roles. Master TOE and B-Master TOE regularly check through the HA-Link if the other system is active. When the Master is not acting normally, the B-Master handles the Master’s role. Figure 1-4 HA(Active-Standby) mode 1. ST Introduction Security Target Confidential 7 HA(Active-Active) mode is in a clustering-type using L4 switch to configure more than 2 TOEs. Each clustered TOE regularly checks through the HA-Link if the others are active. Active-Active clustering prepares for Web service load distribution and countermeasures against possible errors to ensure steady and continuous Web service. Figure 1-5 HA(Active-Active) mode GUI and CLI administrator console can manage the TOE according to the remote or local administrator guidance. They allow an authorized administrator to set and change the initial configuration of the TOE. The administrator can access the GUI administrator console through the Web browser to start, stop, and terminate the security functions. NTP server is used to get exact time information when the TOE generates an audit data. DNS server provides name services about the host name of the Web server used by the TOE. Both of them can be located either in the same network with the TOE operational system or in an external network. SMTP server sets the security action of sending an email regarding the security-relevant events occurred in the TOE and is normally located in the same network with the TOE operational system or in an internal network. Syslog server remotely transfers security audit data recorded by the TOE and is also located in the same network with the TOE operational system or in an internal network. When an attacker accesses using HTTPS protocol that uses SSL encryption between the Web server and Web client, the TOE terminates HTTPS connection and provides security functions, Security Target 1.4. TOE Description 8 Confidential which will operate in real time to prevent attack that may affect the protected system. 1.4. TOE Description This section describes the physical and logical scope of the TOE. 1.4.1. Physical scope of the TOE Target of evaluation comprises SECUI NXG W V2.0 (software) and SECUI NXG W V2.0 User Operational Manual. The software will be delivered to the customers loaded to the dedicated hardware as specified in the Table 1-1 Configuration of the TOE and the manual as both a hard copy and a PDF file in a CD. Figure 1-6 Physical scope of the TOE As shown in the Figure 1-6, the TOE is physically comprised of the following: • GUI interface component comprises GUI interface command process (ems_server), which 1. ST Introduction Security Target Confidential 9 transfers the administrator command to the configuration management process (mconfd). • Security management component comprises configuration management process (mconfd), configuration command enforcing process (vtysh), configuration file management process (save_config), and integrity monitoring process (genHASH). Configuration management process (mconfd) performs IPC communication to interpret an administrator command sent from GUI interface command handling process (ems_server) of GUI interface component and send it to the other components. It also performs administrator identification and authentication. Configuration command enforcing process (vtysh) processes the interpreted command and performs the functions. Configuration file management process (save_config) stores what is set by an administrator in a configuration file or applies what is set by opening it from the stored files. Integrity monitoring process (genHASH) monitors whether integrity of the TSF data (TOE configuration file, TOE executable file, administrator identification and authentication data, etc.) is damaged and, when it is, restores it. • Web protection component comprises Web server attack protection process (heimdall), which addresses all Web server attack protection functions provided by the TOE while operating based on multi thread. • Service start-up and monitoring component is comprised of service monitoring process (vrrpd) and a service management process (codelook). Service monitoring process (vrrpd) enables the processes of each component in the TOE and monitors operation of each process to restart it if service stops due to malfunction. Service management process (codelook) processes command sent from configuration management process (mconfd) and controls start/stop/restart of each process. HA process (had) implements high availability by making all traffics transferred to the B-Master when the Master cannot function normally. • Audit and alarm component comprises audit record and search process (cl_logd), alarm transfer process (smtp_agent), statistics collection process (statd), and report generation process (report_gen). Audit record and search process (cl_logd) provides functions to generate and search all security audit records by the TSF and to remotely transfer log data to the Syslog server. Alarm transfer process (smtp_agent) sends an email designated by an administrator when a potential violation is detected. Statistics collection process (statd) provides statistical material for each type of allowed/denied transaction and Web intrusion attack. Report generation process (report_gen) generates a report out of the statistics. • IP protection policy establishment component comprises IP protection policy collection process (tipc_ruleconv) and IP protection policy application process (low_rulegen). IP protection policy collection process (tipc_ruleconv) transforms packet filtering policy set by an administrator and provides it for IP protection process (ipfw) in the kernel of OS. IP protection policy application process (low_rulegen) transfers the transformed policy to IP Security Target 1.4. TOE Description 10 Confidential protection configuration component to apply it. • IP protection configuration component comprising IP protection configuration process (init_fw) sends the packet filtering policy transformed by IP protection policy establishment component to IP protection process (ipfw). • IP protection component comprising IP protection process (ipfw) performs packet filtering on all packets coming into or out of the TOE network. Therefore, all packets are controlled through IP protection process (ipfw). 1.4.2. Logical scope of the TOE Figure 1-7 Logical scope of the TOE The TOE is comprised logically of identification and authentication, security management, security audit, protection of the TSF, and user data protection. • Identification and Authentication The TOE identifies and authenticated an authorized administrator using ID/Password through the GUI/CLI administrator console. It defines an administrator group and manages it for each Web server and domain, which is necessary for the management of many different Web servers and domains. When an authentication attempt consecutively fails three times, the TOE 1. ST Introduction Security Target Confidential 11 will block login access from the failed administrator ID for the next 5 minutes. • Security Management An administrator establishes and manages security policies regarding Web server data learning, Web server data protection, and service contents protection through the GUI administrator console. The TOE provides a function to configure DNS server, NTP server, network, and interface that are required for the TOE to operate on an Internet. It also provides a function to manage the TOE status and configuration files. Administrator that can access the administrator interface includes a super administrator, server administrator, and user. Super administrator has all authorities for management of the TOE; server administrator has all except for the following functions of the TOE; and user has a read- only authority. [Security management functions] - Management of security functions: System monitoring, system configuration initialization, backup and recovery of the TOE configuration data, integrity check, TOE network operation mode, method of audit trail, etc. - Management of TSF data: Version and time information of the TOE, time limit of an administrator session, permitted number of login sessions, administrator interface information, information of the TOE network interface configuration, information of the TOE network interface, address of each operation mode of the TOE network, interface information of each operation mode of the TOE network, address of DNS/NTP server, information about enabling audit functions, configuration information of an administrator email, warning page, configuration information of a policy bypass for the purpose of administration, information about identification and authentication of an administrator, configuration information of a host name, routing configuration information, etc. • Security Audit An authorized administrator is provided with a function to review and search audit records using search conditions and to remotely transfer log data. Security audit generates a statistical report generated out of the audit records for the administrator to review. Analysis of potential security violation is possible using the audit records. When audit data storage meets the threshold, the TOE alarms an authorized administrator by an email; when the stored data surpasses the threshold (99%), the TOE deletes the oldest audit record without security function ceasing and generates an audit record. Security Target 1.4. TOE Description 12 Confidential • Protection of the TSF The TOE checks the state of CPU, memory, hard disk, TOE process, and network interface regularly during normal operation and, upon detection of anomaly, enables an administrator to restart TSF services. The TOE provides a function to monitor integrity of TSF data such as the TOE configuration file and TOE executable file. After the lock of a session by session management function after a certain period of administrator inactivity, re-authentication is required. In case that the Master cannot function normally, all traffics will be transferred to the B-Master to ensure high availability. • User Data Protection Packets coming into the TOE from outside shall be applied the packet filtering security policy set by an authorized administrator before it is allowed or denied access. Checking packets starts from a server access check. SECUI NXG W Information flow control policies will be applied to the header and body of those packets that passed the server access check. The TOE sends the packets that passed through packet filtering to the Web server and monitors request of a Web client for a specific period of time to build a Web tree database based on collected Web traffic data. Then it detects and blocks intrusion against the Web server exploiting vulnerabilities of Web. This should be based on a thorough analysis of http protocol. The TOE performs the following security behaviors: − URL check: Checks URL accessing the Web server; performs URL analysis, heuristics, access control, and directory access control. − Query phrase and value check: Checks query of Header and Body sent by GET or POST method. − Cookie corruption check: Checks the cookie made by the Web server; performs cookie encryption, cookie forge/corruption protection, and domain cookie management. − Cross-site scripting (XSS) protection: Checks whether the query or cookie data sent to the Web server includes an enforceable script or HTML tag. − Hidden field manipulation protection: Checks if a hidden field of each URL is manipulated or forged. − Header method check: Checks if the header method of each URL is allowed. − SQL injection protection: Blocks an attack where a user forges query and cookie value sent to the Web server so they have an SQL error and enforces SQL command randomly. − Command injection protection: Checks if any forbidden system command is being used. − URL-based access control: Establishes a policy for a URL of the Web server to allow or block access from specific IP addresses. − Base64 encoding check: Checks if a query used base64 encoding method. 1. ST Introduction Security Target Confidential 13 − Header buffer overflow check: Specifies the maximum size of an HTTP header to prevent buffer overflow. − URL extension check: Checks URL extension and determines whether to allow or block. − Password check: Checks if a password is made to be a vulnerable combination and length. − SSL induction: (In case that the protected Web server offers services by HTTPS) When a Web client tries to access by HTTP, the TOE helps the client to access by HTTPS The TOE protects personal credit information included in the protected Web server from being leaked. Personal credit information includes an SSN and credit card number. It also blocks transmission of the type and version information of the Web server to prevent an attack specialized against the Web server. It blocks transmission of an HTTP error page, which usually includes critical information of the server, to prevent unintended leakage of information. In addition, it prevents leakage of forged page and footnote. The TOE performs the following to protect Web server service: − Personal credit information protection: Protects personal information like an SSN and credit card number in the Web service contents. − Error page handling: Protects information of a Web server that can be included in an error page. − Comment removal: Checks whether the content from the protected Web server includes a comment and, if it does, removes the comment and sends it to a Web client. − Checksum protection: Checks the length or hash value of a Web page that the protected Web server sends as a respond to a Web client and protects modified contents from being leaked. − Forbidden word check: Checks if the contents from the Web server or query value delivered to the Web server include a forbidden word and, if they do, protects the contents from being leaked. − Server information cloaking: Replaces server-related information provided by the server header of the protected Web server by an information processed by the TOE in order to prevent the server information from being exposed. The TOE provides a function to define specific actions to be taken upon detection of violation based on the security policies set by an authorized administrator. Security actions configurable by the TOE include sending detected violation to log in the form of security audit record (LOG), disconnecting traffic (Drop), sending an email to an administrator, transferring a warning page, page redirection, and replacing characters. Security Target 1.4. TOE Description 14 Confidential 1.4.3. Non-TOE scope The following are not included in the evaluation. • Administrator Console(CLI/GUI) 9 Hardware specification of GUI/CLI console to manage the TOE (See Table 1-1) 9 Physical H/W specification for installation and operation of the TOE administrator consoles are shown below: Table 1-1 Requirements for Installation of CLI/GUI Administrator Console Component Minimum Specification Note CPU Pentium III 133 MHz or faster Main Memory 256 MB or bigger HDD 40 GB or bigger Hard disk space for installation of the administrator console program NIC 1 or more Serial Port 1 EA RJ-45 Type (RS-232 Serial, 38400 Baud) OS Windows XP Service Pack 2 Java Library jre-6u12-windows-i586-p Required to operate the GUI administrator console program Web Browser Internet Explorer Version 6.0 or higher Required to access the GUI administrator console program (128 bits or higher supporting SSL) Administrator Console Program Tera Term Professional Communication emulator for accessing the CLI adminnistrator console • DNS/NTP/SMTP Server 9 DNS server: Changes a domain name into an IP address so one can track down its location 9 NTP server: Timestamp that the TOE uses to get exact time information when it generates audit data. There are two ways for the TOE to get a trusted time stamp: using time information provided by the OS and using one provided by an external NTP server. In case of the system time, the TOE will regularly bring a value stored in Real-Time Clock (RTC) in its operational environment and compares it with its own time. The TOE time can only be changed by an authorized administrator. In case of the external NTP server, the TOE as an NTP client requires the NTP server for a correct current time. By exchanging time, the TOE can calculate the time of link delay using the gap between the time of NTP server and of its own and set its clock to be consistent with the server’s. The first clock settlement will require 6 exchanges of time during 5~10 minutes. Once the time synchronization is finished, the TOE can modify its clock by exchanging messages at the time defined by the GUI administrator 1. ST Introduction Security Target Confidential 15 console to get a trusted time stamp. 9 SMTP server: Used to notify an authorized administrator of security-relevant events detected in the TOE • Syslog Server 9 “syslog” is remote transmission log data, which is used when sending security audit records generated by the TOE to a remote syslog server. • H/W 9 The following specifications are needed for hardware to operate the TOE. SECUI is not responsible for arbitrary addition of hardware other than the evaluated environment. The environment for installation and operation of the TOE is assumed to be used independently for the TOE. It is also assumed that only the least administrator ID will be produced as necessary for operation of the TOE and it will be a non- malicious administrator that manages the ID, password, and security patch correctly. Table 1-2 Configuration of the TOE Component SECUI NXG 4000W – 4C SECUI NXG 4000W – 12C SECUI NXG 4000W – 12F SECUI NXG 2000W – 4C SECUI NXG 2000W – 12C SECUI NXG 2000W – 12F Note CPU XLR 732 1.2 GHz XLR 532 1.2 GHz XLR 732 1.2 GHz XLR 532 1.2 GHz XLR 732 1.2 GHz XLR 532 1.2 GHz XLR 732 1.2 GHz XLR 732 1.2 GHz XLR 732 1.2 GHz RMI XLR Processor (See 8.1 Glossary and Abbreviations) Main Memory 8 GB 8 GB 8 GB 4 GB 4 GB 4 GB CF Card 2 GB * 2 2 GB * 2 2 GB * 2 2 GB 2 GB 2 GB TOE will be installed in the CF card HDD 500 GB 500 GB 500 GB 500 GB 500 GB 500 GB For storing audit records NIC 4* 10/100/1000 BASE-T 12* 10/100/1000 BASE-T 12*1000 BASE-X 4* 10/100/1000 BASE-T 12* 10/100/1000 BASE-T 12*1000 BASE-X Mgmt Port 1*10/100/1000 BASE-T 1*10/100/1000 BASE-T 1*10/100/1000 BASE-T 1*10/100/1000 BASE-T 1*10/100/1000 BASE-T 1*10/100/1000 BASE-T Communication port for the CLI/GUI administrator console Serial Port 1 * RJ-45 1 * RJ-45 1 * RJ-45 1 * RJ-45 1 * RJ-45 1 * RJ-45 OS SecuiOS V1.2 • SSL 9 SSL protocol to ensure secure communication between the TOE and GUI administrator console with a validated cryptographic module Category Description SSL Library Type OpenSSL SSL Library Version 0.9.8k Security Target 1.5. Conventions 16 Confidential Library That Applied Validated Cryptographic Module MagicCrypto V1.1 Applied Cryptographic Algorithm Confidentiality algorithm (3DES, 168 bits) Integrity algorithm (HMAC-SHA1, 160 bits) Key exchange algorithm (RSA, 1024 bits) • Web Client(Web Browser) 9 Web client may transfer Web traffic through the TOE. Web client means a User Agent of a user who intends to use the Web server or Web application, which is the protected system; User Agent means the Web Browser. • Web Zone 9 Web server, DB server, or Web application in the Web zone does not refer to the server itself but the data related to the Web server and Web application that provide Web services. • SecuiOS 9 SecuiOS V1.2 is an embedded OS that SECUI.COM has developed for the operation of the TOE. • Protection against DoS attack 9 Protection against SYN Flooding attack 9 Protection against IP Source Routing attack 9 Protection against Smurf attack 9 Protection against ICMP(Ping) from the Internet • Congestion Control 9 Controls congestion due to anomalous Web traffic among those sent into the TOE. 1.5. Conventions The notation, formatting and conventions used in this Security Target are consistent with the Common Criteria for Information Technology Security Evaluation. The CC allows several operations to be performed on functional requirements; refinement, selection, assignment, and iteration. Each of these operations is used in this ST. Iteration It is used when a component is repeated with varying operations. The result of iteration is 1. ST Introduction Security Target Confidential 17 marked by iteration number in parenthesis following the component identifier, i.e., (Iteration No.). Assignment It is used to assign specific values to unspecified parameters (e.g. : password length). The result of assignment is indicated in square brackets, i.e., [ Assignment_Value ]. Selection It is used to select one or more options provided by the CC in stating a requirement. The result of selection is shown as underlined and italicized. Refinement It is used to add detail to a requirement, and thus further restricts a requirement. The result of refinement is shown in bold text. “Application Notes” are provided to help to clarify the intent of a requirement, identify implementation choices or to define "Pass/Fail" criteria for a requirement. Application Notes will follow relevant requirements where appropriate. Security Target 2.1. CC Conformance Claim 18 Confidential 2. Conformance Claims 2.1. CC Conformance Claim This ST claims conformance to the following standard: • Common Criteria reference 9 Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model, Version 3.1 r1, September 2006, CCMB-2006-09-001 9 Common Criteria for Information Technology Security Evaluation, Part 2: Security functional components, Version 3.1 r2, September 2007, CCMB-2007-09-002 9 Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance components, Version 3.1 r2, September 2007, CCMB-2007-09-003 • Common Criteria Conformance 9 Part 2 Conformant 9 Part 3 Conformant 2.2. PP Claim This ST does not claim conformance to any registered PP. 2.3. Package Claim This ST conforms to the following package of security assurance requirements. • Assurance package: EAL4 conformant 2.4. Conformance Rationale 2. Conformance Claims Security Target Confidential 19 This ST does not claim conformance of other PPs, therefore it is not necessary to describe the conformance rationale. Security Target 3.1. Threats 20 Confidential 3. Security Problem Definition This chapter defines the threats, organizational security policies, and assumptions that are meant to be addressed by the TOE and the TOE operational environment. Assets to be protected by the TOE are: - Web server, Web service, resources used by the Web service, Web application, data processed by the Web application, and Web contents Assets that support secure operation of the TOE are: - The TOE including the TSF data, executable code, etc. 3.1. Threats This section describes the threats to the TOE, which consist of a threat agent, an asset, and an adverse action of that threat agent on that asset. A threat agent is generally an IT entity or human user that illegally accesses the assets in the Web zone or the TOE from outside or adversely acts on them. The threat agent that this ST refers to possesses enhanced-basic expertise, resources, and motivation. Table 3-1 Threats to the TOE T.Impersonation A threat agent can access the TOE by masquerading as an authorized administrator. T.Breakdown The TOE may not provide normal services to a user due to a breakdown occurred from external attacks, etc. T.Recording_Failure A threat agent can disable recording of security-related events of the TOE by exhausting its storage capacity. T.Illegal_Service_Access A threat agent can interrupt the Web service provision of a host in the internal network by accessing the Web services of the host. 3. Security Problem Definition Security Target Confidential 21 T.Abnormal_Web_Request A threat agent may cause erroneous operation of the Web server in the internal network of Web zone by transmitting Web traffic that holds abnormal structure. T.Continuous_Authentication_Attempt A threat agent can acquire the authorized administrator rights by continuously attempting authentication to access the TOE. T.Web_Contents_Attack A threat agent may forge the data of the Web application on the Web server or leak Web server data or personal credit information and misuse them. T.Unauthorized_TSF_Data_Change TSF data may be changed without authentication as a threat agent makes buffer overflow attack to the TOE. 3.2. Organizational Security Policies This section describes the organizational security policies (OSPs) that should be addressed by the TOE that conforms to this ST. Table 3-2 Organizational Security Policies P.Audit To trace responsibilities on all security-related activities, security-related events shall be recorded, maintained, and reviewed. P.Secure_Management An authorized administrator shall be able to manage the TOE in a secure manner1 and keep the TSF data up to date. 3.3. Assumptions T he following conditions are assumed to exist in the operational environment. Table 3-3 Assumptions 1 To manage this Web application firewall in safety, no one can delete or modify configuration files (not including the user data) except for authorized administrators of the TOE. Security Target 3.3. Assumptions 22 Confidential A.Physical_Security The TOE shall be located in a physically secure environment that can be accessed only by an authorized administrator. A.Security_Maintenance When the internal environment of Web zone changes due to change in the network configuration, Web server increase/decrease, Web application increase/decrease, Web service increase/decrease, etc., the changed environment and security policy shall immediately be reflected in the TOE operation policy so that security level can be maintained to be the same as before. A.Trusted_Administrator The authorized administrator of the TOE shall not have any malicious intention, receive proper training on the TOE management, and follow the administrator guidelines. A.Operating_System_Reinforcement Unnecessary services or means shall be removed from the operating system, and security shall be enhanced to better protect against vulnerabilities in the operating system thereby ensuring its reliability and stability. A.Single_Point_Of_Connection The TOE divides the network of zone into internal and external. All Web traffic between which are transferred through the TOE. A.Transfer_Data_Protection The TOE shall protect the TSF data transferred between a remote administrator and the TOE from unauthorized disclosure, modification, or deletion. 4. Security Objectives Security Target Confidential 23 4. Security Objectives This chapter defines security objectives by categorizing them into for the TOE and for the operational environment. Security objectives for the TOE are directly handled by the TOE. Security objectives for the operational environment are handled by technical/procedural means supported by the operational environment in order for the TOE to accurately provide security functions. 4.1. Security Objectives for the TOE The followings are security objectives to be directly handled by the TOE. Table 4-1 Security Objectives for the TOE O.Availability The TOE shall secure regular access to the protected Web server from an external Web browser even in the case of failure due to incidental or external attack by maintaining the minimum security functions. O.Audit The TOE shall make and maintain the records of security-related events in order to ensure tracing of responsibilities for security-related acts and shall provide a means to review the recorded data. O.Management The TOE shall provide a means for an authorized administrator of the TOE to efficiently manage the TOE in a secure manner. O.Abnormal_Web_Request_Cutoff The TOE shall analyze the attempts of the Web clients to access the protected Web server and cut off any abnormal attempt. O.Identification_And_Authentication The TOE shall identify a user that intends to access the TOE and all external IT entities that are subject to information flow control and authenticate the identity of the user before allowing access. O.Web_Contents_Protection The TOE can identify if the Web contents registered on the Web server, which is an IT entity, are Security Target 4.2. Security Objectives for the Operational Environment 24 Confidential altered and stop personal credit information such as SSN or credit card number from being leaked. O.TOE_Self_Protection The TOE shall protect itself in terms of TSF data protection and against change and deactivation of the TOE security functionality during start-up, periodically, and at the request of an authorized administrator. O.Information_Flow_Control The TOE shall control an unauthorized Web traffic from the external to the internal of Web zone according to the security policy. O.Heuristics The TOE shall provide a function that monitors the information of packets required by a Web client, which is an IT entity, for a specific period of time and makes a profile out of it with application of the security policy that the TOE provides. O.TSF_Data_Protection The TOE shall protect TSF data from unauthorized disclosure, modification, and deletion. 4.2. Security Objectives for the Operational Environment The followings are security objectives to be handled by the technical/procedural measures supported by the operational environment in order for the TOE to accurately provide security functions. Table 4-2 Security Objectives for the Operational Environment OE.Physical_Security The TOE shall be located in a physically secure environment that can be accessed only by an authorized administrator. OE.Security_Maintenance When the internal environment of Web zone changes due to change in the network configuration, Web server increase/decrease, Web application increase/decrease, Web service increase/decrease, etc., the changed environment and security policy shall immediately be reflected in the TOE operation policy so that security level can be maintained to be the same as before. OE.Trusted_Administrator The authorized administrator of the TOE shall not have any malicious intention, receive proper 4. Security Objectives Security Target Confidential 25 4.3. Security Objectives Rationale Security objectives rationale demonstrates that the specified security objectives are appropriate, sufficient to trace security problems, and essential rather than excessive. Security objectives rationale demonstrates the following: - Each threat, OSP, and assumption has at least one security objective tracing to it. - Each security objective traces to at least one threat, OSP, or assumption. training on the TOE management, and follow the administrator guidelines. OE.Secure_Management An authorized administrator of the TOE shall configure and manage the TOE in a secure manner. OE.Operating_System_Reinforcement An authorized administrator of the TOE and operational environment shall enhance security against the OS vulnerabilities to ensure that there will be no interference between the TOE and other applications. OE.Single_Point_Of_Connection The TOE divides the network of Web zone into internal and external. All Web traffic between which are transferred through the TOE. OE.Transfer_Data_Protection The TOE shall protect the TSF data transferred between a remote administrator and the TOE from unauthorized disclosure, modification, or deletion. OE.Time_Stamp The TOE shall accurately record security-related events by using reliable time stamps provided by the TOE operational environment. Security Target 4.3. Security Objectives Rationale 26 Confidential The following table shows mappings between security problem definition and security objectives. Table 4-3 Mappings between Security Problem Definition and Security Objectives Security Objective Security Problem Definition Security Objectives for the TOE Security Objectives for the Operational Environment O.Availability O.Audit O.Management O.Abnormal_Web_Request_Cutoff O.Identification_And_Authentication O.Web_Contents_Protection O.TOE_Self_Protection O.Information_Flow_Control O.Heuristics O.TSF_Data_Protection OE.Physical_Security OE.Security_Maintenance OE.Trusted_Administrator OE.Secure_Management OE.Operating_System_Reinforcement OE.Single_Point_Of_Connection OE.Transfer_Data_Protection OE.Time_Stamp T.Impersonation X X T.Breakdown X X X T.Recording_Failure X X T.Illegal_Service_Access X X X T.Abnormal_Web_Request X X X X T.Continuous_Authentication_Attempt X X T.Web_Contents_Attack X X Confidential Security target 대외비 27 Security Objective Security Problem Definition Security Objectives for the TOE Security Objectives for the Operational Environment O.Availability O.Audit O.Management O.Abnormal_Web_Request_Cutoff O.Identification_And_Authentication O.Web_Contents_Protection O.TOE_Self_Protection O.Information_Flow_Control O.Heuristics O.TSF_Data_Protection OE.Physical_Security OE.Security_Maintenance OE.Trusted_Administrator OE.Secure_Management OE.Operating_System_Reinforcement OE.Single_Point_Of_Connection OE.Transfer_Data_Protection OE.Time_Stamp T.Unauthorized_TSF_Data_Change X X P.Audit X X P.Secure_Management X X A.Physical_Security X X A.Security_Maintenance X A.Trusted_Administrator X A.Operating_System_Reinforcement X A.Single_Point_Of_Connection X A.Transfer_Data_Protection X Security Target 4.3. Security Objectives Rationale 28 Confidential 4.3.1. Rationale for the security objectives for the TOE O.Availability This objective provides availability of the TOE that ensures Web services of the protected Web server in case of a failure in the TOE, overload due to an attack, or audit storage exhaustion. Therefore, it ensures the availability of the TOE against T.Breakdown and T.Recording_Failure. O.Audit This objective ensures that, when a user uses security functions, the TOE generates audit data about each user according to the audit policy and that the TOE provides a means to maintain and review the records in a safe manner. It ensures that the TOE provides a function to take actions in case that the audit data is full. Audit data generation ensures that the TOE can detect an attacker’s identity using the audit records in case of consecutive authentication attempts. Audit records enable the TOE to trace a (cookie) reuse attack, an attack producing and sending an abnormal Web traffic, and an attempt to compromise the TSF data by header buffer overflow attack. If personal credit information on the Web server is leaked, the audit records allow one to check related information. Therefore, it counters T.Impersonation, T.Recording_Failure, T.Abnormal_Web_Request, T.Continuous_Authentication_Attempt, T.Web_Contents_Attack, and T.Unauthorized_TSF_Data_Change and enforces P.Audit. O.Management This objective is to establish information flow control rules under which the security policies are enforced to control illicit access to Web zone. To this end, the TOE shall provide a means to manage the TSF data and the TOE securely such as generating the TOE configuration data and security policy based on heuristics. Therefore, it counters T.Illegal_Service_Access and enforces P.Secure_Management, as it provides an authorized administrator with a means to administer the TOE. O.Abnormal_Web_Request_Cutoff This objective shall ensure that Web request will be shut down if there is traffic among Web- related traffic coming to the internal of the TOE that does not conform to the Web protocol or contains abnormal information. Therefore, it counters T.Abnormal_Web_Request. O.Identification_And_Authentication This objective is for the identification and authentication of a TOE user. The TOE users include an administrator that manages the TOE through an authorized access and an external IT entity (external user), which simply accesses the TOE without authentication to use the Web server in the internal network. Both shall be required to handle security-related events involving them. Identification of an administrator is necessary to give accountability to all actions by the administrator. Identification of an external IT entity is necessary to respond to and generate audit records about a cookie manipulation(reusing) attack. Any user that intends to access the TOE shall be authenticated. The authentication required for the TOE access, however, may be 4. Security Objectives Security Target Confidential 29 vulnerable to consecutive authentication attempts by an external attacker. The TOE shall therefore ensure an authentication mechanism resistant to the level of the consecutive authentication attempts by the attacker. Therefore, it counters T.Impersonation, T.Abnormal_Web_Request, and T.Continuous_Authentication_Attempt. O.Web_Contents_Protection This objective enables the TOE to check if Web contents registered on the Web server is manipulated and, if so, ensures generation of audit record and recovery of the Web contents. Therefore, it counters T.Web_Contents_Attack. O.TOE_Self_Protection This objective ensures that the TOE protects itself against breakdown of the TOE due to an unexpected attack from outside by protecting the TSF data and protecting against change or deactivation of security functionality. Therefore, it counters T.Breakdown. O.Information_Flow_Control This objective ensures that the TOE identifies and blocks various attacks that can be made in the traffic in accordance with a deny policy and allow policy. These attacks include an attack using illegal information and unauthorized access to the Web application. The TOE protects the security of the internal space of the Web zone by preventing the attacks from being imported. Therefore, it counters T.Illegal_Service_Access. O.Heuristics This objective ensures that the TOE monitors the information of packets required by the Web client for a certain amount of time and makes a profile about the results with applying the security policies that the TOE provides and that the TOE prevents illegal service access and abnormal Web request from the Web client according to the security policies applied to the profile. Therefore, it counters T.Illegal_Service_Access and T.Abnormal_Web_Request. O.TSF_Data_Protection The security policy of the TOE may not be enforced appropriately due to a modification of the TSF data resulting from an unexpected attack or TOE failure without an administrator’s recognition. This objective ensures that the TOE checks any intentional or unintentional modification to the TSF data for a correct operation of the TSF. Therefore, it counters T.Breakdown and T.Unauthorized_TSF_Data_Change. 4.3.2. Rationale for the security objectives for the operational environment OE.Physical_Security This objective ensures that TOE is located and operated in a physically secure environment. Therefore, it supports A.Physical_Security. OE.Security_Maintenance Security Target 4.3. Security Objectives Rationale 30 Confidential This objective ensures that, when the internal environment of Web zone changes due to change in the network configuration, Web server increase/decrease, Web application increase/decrease, Web service increase/decrease, etc., the changed environment and security policy are immediately reflected in the TOE operation policy to maintain security at the same level as before. Therefore, it supports A.Security_Maintenance. OE.Trusted_Administrator This objective ensures that the authorized administrator of the TOE can be trusted. Therefore, it supports A.Trusted_Administrator. OE.Secure_Management This objective ensures that the TOE is configured, managed, and used in a secure manner by an authorized administrator. Therefore, it supports A.Physical_Security and enforces P.Secure_Management. OE.Operating_System_Reinforcement This objective ensures that services or measures not required on the OS are eliminated and the OS is reinforced against vulnerabilities so the OS can be reliable and stable. Therefore, it supports A.Operating_System_Reinforcement. OE.Single_Point_Of_Connection This objective ensures that all Web traffic between the internal and external network of the Web zone will be transferred through the TOE. Therefore, it supports A.Single_Point_Of_Connection. OE.Transfer_Data_Protection This objective ensures that the TOE protects TSF data transferred between the TOE and a remote administrator from unauthorized disclosure, modification, and deletion. Therefore, it supports A.Transfer_Data_Protection. OE.Time_Stamp This objective ensures that the TOE accurately records security-relevant events by using reliable time stamps provided by the TOE operational environment. Therefore, it enforces P.Audit. 5. Extended Component Definition Security Target Confidential 31 5. Extended Component Definition This ST does not define extended components. Security Target 4.3. Security Objectives Rationale 32 Confidential 6. Security Requirements This chapter describes security functional and assurance requirements to be satisfied by the TOE that conforms to this ST. This ST defines all subjects, objects, operations, security attributes, external entities, etc. used in security requirements as follows. a) Subjects (and their security attributes), objects (and their security attributes), and operations Table 6-1 Subjects, Objects, Related Security Attributes, and Operations Subject (User) Subject (User) Security Attributes Object (Information) Object (Information) Security Attributes Operation Unauthenticated Web client on the side of information sender IP address Web traffic sent from a subject to another place through the TOE Cookie domain, cookie, Web server address, URL Allow if an allow-rule exists; block any other access Web server address, cookie, HTTP Request Message (Method, Request-URI, Request Headers) Block if a block-rule exists; allow any other access Authenticated Web server or Web application on the side of information sender IP address Web contents sent from a subject to another place through the TOE MIME, HTTP Response Message(Response- Header, Entity-Header, Message-Body) Protect contents if an appropriate rule (to transform, allow, block) exists - Transform: Allow access after transformation into the transferred data value - Allow: Allow access - Block: Block access IT entity on the side of information sender IP address Traffic sent from a subject to another place through the TOE IP address, netmask, port number, protocol, priority, packet direction Allow if an allow-rule exists; Block if a block- rule exists Authorized administrator Identifier Audit data See audit review list of Table 6-5 Audit review criteria Read, search TSF data See Table 6-14 TSF data list(1) Query See Table 6-15 TSF data list(2) Query, modify See Table 6-16 TSF data list(3) Query, delete, generate See Table 6-17 TSF data list(4) Change default, query, modify, generate, heuristics See Table 6-18 TSF data list(5) Query, modify, delete, generate See Table 6-19 Action taken in case of exceeded TSF data limit Specify limits Security attributes SECUI NXG W Information flow denial policy; See Table 6-10 Management of security attributes(1) Query, modify, delete, generate, heuristics SECUI NXG W Query, modify, delete, 6. Security Requirements Security Target Confidential 33 Subject (User) Subject (User) Security Attributes Object (Information) Object (Information) Security Attributes Operation Information flow permission policy; See Table 6-11 Management of security attributes(2) generate, heuristics SECUI NXG W Information flow Web contents protection policy; See Table 6-12 Management of security attributes(3) Query, modify, delete, generate, heuristics SECUI NXG W Information flow packet filtering policy; See Table 6-13 Management of security attributes(4) Query, modify, delete, generate SECUI NXG W Information flow packet filtering policy, packet direction and protocol Query, modify Security function See Table 6-7 List of functions(1) Disable, enable See Table 6-8 List of functions(2) Enable See Table 6-9 List of functions(3) Modify behavior b) External entity - Administrator console(CLI/GUI): An external entity that provides an interface for an authorized administrator to access the TOE and manage security functions; Web browser and administrator console program. - Web server(Web application): Server and application protected by the TOE that provide Web services. - Web client(Web browser): A user accessing an object of protection of the TOE, i.e. an external IT entity that accesses a Web server using a Web browser. - DB server (Web application): A server program for processing DB data on a Web application. - DNS server: A server that provides domain name service; a Web client can access the Web server using a domain name. - NTP server: A server program that provides time information to the TOE; it supports audit functions using a trusted time stamp. - SMTP server: A server that provides mailing service; it sends TSF-related a warning message produced by the TOE to an email specified by an administrator. - Syslog server: A server that remotely receives logs related to security events generated by the TOE 6.1. Security Functional Requirements The security functional requirement(SFR)s in this ST, which are for the purpose of satisfying the security objectives identified in Chapter 4, are composed of the functional components from the CC Part 2. Table 6-2 shows the SFR components used in this ST. Table 6-2 Security Functional Requirements Security Target 6.1. Security Functional Requirements 34 Confidential Security Functional Class Security Functional Components Security Audit FAU_ARP.1 Security alarms FAU_GEN.1 Audit data generation FAU_GEN.2 User identity association FAU_SAA.1 Potential violation analysis FAU_SAR.1 Audit review FAU_SAR.3 Selectable audit review FAU_STG.1 Protected audit trail storage FAU_STG.3 Action in case of possible audit data loss FAU_STG.4 Prevention of audit data loss User Data Protection FDP_IFC.1(1) Subset information flow control(1) FDP_IFC.1(2) Subset information flow control(2) FDP_IFC.1(3) Subset information flow control(3) FDP_IFC.1(4) Subset information flow control(4) FDP_IFF.1(1) Simple security attributes(1) FDP_IFF.1(2) Simple security attributes(2) FDP_IFF.1(3) Simple security attributes(3) FDP_IFF.1(4) Simple security attributes(4) FDP_SDI.2 Stored data integrity monitoring Identification and Authentication FIA_AFL.1 Authentication failure handling FIA_ATD.1(1) User attribute definition(1) FIA_ATD.1(2) User attribute definition(2) FIA_UAU.2 User authentication before any action FIA_UAU.7 Protected authentication feedback FIA_UID.2 User identification before any action Security Management FMT_MOF.1(1) Management of security functions behavior(1) FMT_MOF.1(2) Management of security functions behavior(2) FMT_MOF.1(3) Management of security functions behavior(3) FMT_MSA.1(1) Management of security attributes(1) FMT_MSA.1(2) Management of security attributes(2) FMT_MSA.1(3) Management of security attributes(3) FMT_MSA.1(4) Management of security attributes(4) FMT_MSA.1(5) Management of security attributes(5) FMT_MSA.3 Static attribute initialization FMT_MTD.1(1) Management of TSF data(1) FMT_MTD.1(2) Management of TSF data(2) FMT_MTD.1(3) Management of TSF data(3) FMT_MTD.1(4) Management of TSF data(4) FMT_MTD.1(5) Management of TSF data(5) FMT_MTD.2 Management of limits on TSF data FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles Protection of the TSF FPT_TEE.1 Testing of external entities FPT_FLS.1 Failure with preservation of secure state FPT_TST.1 TSF testing Resource Utilization FRU_FLT.1 Degraded fault tolerance TOE Access FTA_SSL.3 TSF-initiated termination 6. Security Requirements Security Target Confidential 35 6.1.1. Security Audit (FAU) 6.1.1.1. FAU_ARP Security audit automatic response FAU_ARP.1 Security alarms Hierarchical to: No other components Dependencies: FAU_SAA.1 Potential violation analysis FAU_ARP.1.1 The TSF shall take [ send the email to the address registered by the authorized administrator ] upon detection of a potential security violation. 6.1.1.2. FAU_GEN Security audit data generation FAU_GEN.1 Audit data generation Hierarchical to: No other components Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) [ Information specified in the Auditable Events column and categorized as “Others” in the Category column of Table 6-3 ] FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the ST, [ information specified in the Additional Audit Record Contents column of Table 6-3 ] Table 6-3 Auditable Events Functional Components Auditable Events Category Additional Audit Record Contents FAU_ARP.1 Actions taken due to potential security violations Others Recipient identity of actions FAU_SAA.1 Enabling and disabling of any of the analysis mechanisms, Automated responses performed by the tool Others - FDP_IFF.1 Decisions to permit requested information flows Others Identified information of Object, Decision to deny FIA_AFL.1 The reaching of the threshold for the unsuccessful authentication attempts and the actions taken and the subsequent, if appropriate, restoration to the normal state Others - FIA_UAU.2 Unsuccessful use of the authentication mechanism Others - FIA_UID.2 Unsuccessful use of the user identification mechanism, including the user identity provided Others - Security Target 6.1. Security Functional Requirements 36 Confidential Functional Components Auditable Events Category Additional Audit Record Contents FMT_SMF.1 Use of the management functions Others - FMT_SMR.1 Modifications to the group of users that are part of a role Others - FPT_TST.1 Execution of the TSF self tests and the results of the tests Others - FRU_FLT.1 Any failure detected by the TSF Others - FTA_SSL.3 Termination of an interactive session by the session locking mechanism Others - FAU_GEN.2 User identity association Hierarchical to: No other components Dependencies: FAU_GEN.1 Audit data generation FID_UID.1 Timing of identification FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. 6.1.1.3. FAU_SAA Security audit analysis FAU_SAA.1 Potential violation analysis Hierarchical to: No other components Dependencies: FAU_GEN.1 Audit data generation FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the enforcement of the SFRs. FAU_SAA.1.2 The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of [ audit event of unsuccessful authentication among the auditable events in FIA_UAU.2, audit event of Table 6-4 Information flow control rule violation among the auditable events in FDP_IFF.1, audit event of integrity violation among the auditable events in FPT_TST. 1 ] known to indicate a potential security violation; b) [ none ] Table 6-4 Audit Event of Information Flow Control Rule Violation Information Flow Control Rule Audit Event of Rule Violation SECUI NXG W Information flow denial policy Audit event where an audit record is generated that information requested by a Web client is considered an attack because it does not match the cookie domain, cookie, Web server address, and URL list registered by the TOE through heuristics. SECUI NXG W Information flow permission policy Audit event where an audit record is generated that information requested by a Web client is considered an attack because it matches the block-rule that the TSF provides based on the Web server, cookie, and HTTP Request Message registered by the TOE through heuristics. SECUI NXG W Information flow Web contents protection policy Audit event where an audit record is generated that information requested by a Web client is considered an attack because it matches the MIME attribute provided by the protected Web server and a rule to protect contents – to transform, allow, or 6. Security Requirements Security Target Confidential 37 Information Flow Control Rule Audit Event of Rule Violation block. 6.1.1.4. FAU_SAR Security audit review FAU_SAR.1 Audit review Hierarchical to: No other components Dependencies: FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide [ the authorized administrator ] with the capability to read [ all audit data ] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the authorized administrator to interpret the information. FAU_SAR.3 Selectable audit review Hierarchical to: No other components Dependencies: FAU_SAR.1 Audit review FAU_SAR.3.1 The TSF shall provide the ability to apply [ search ] of audit data based on [ the criteria in the Table 6-5 Audit Review Criteria ]. Table 6-5 Audit Review Criteria Type of Auditable Events Audit Review Item Criteria Allowed transaction log URL, Period setting, Client IP, Server information • Search by keywords for each audit review item. • Search by for more than one audit review item and in condition ‘AND’ Denied transaction log Warning level, URL, Period setting, Attacker IP, Server information, Result, Attack type IP firewall log Period setting, Source IP, Source port, Destination IP, Destination port, Protocol, Policy ID, Action Audit log (Configuration log) Period setting, Source ID, Destination ID, User ID System log Warning level, Period setting 6.1.1.5. FAU_STG Security audit event storage FAU_STG.1 Protected audit trail storage Hierarchical to: No other components Dependencies: FAU_GEN.1 Audit data generation FAU_STG.1.1 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to prevent unauthorized modifications to the stored audit records in the audit trail. FAU_STG.3 Action in case of possible audit data loss Hierarchical to: No other components Dependencies: FAU_STG.1 Protected audit trail storage Security Target 6.1. Security Functional Requirements 38 Confidential FAU_STG.3.1 The TSF shall take [ send an email to the address registered by the authorized administrator ] if the audit trail exceeds [ 55~100% of the audit storage capacity that the administrator defined ]. FAU_STG.4 Prevention of audit data loss Hierarchical to: FAU_STG.3 Action in case of possible audit data loss Dependencies: FAU_STG.1 Protected audit trail storage FAU_STG.4.1 The TSF shall overwrite the oldest stored audit records and [ none ] if the audit trail is full. 6.1.2. User Data Protection (FDP) 6.1.2.1. FDP_IFC Information flow control policy FDP_IFC.1(1) Subset information flow control(1) Hierarchical to: No other components Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1(1) The TSF shall enforce the [ SECUI NXG W Information flow denial policy ] on [ the following list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP: a) Subject: Unauthenticated Web client on the side of information sender b) Information: Web traffic sent from a subject to another place through the TOE c) Operation: Pass when allowing rules exist, otherwise block ] Application notes: This security policy is to cut off all connections with the exception of rules for distinctive allowing. In other words, the TOE is Web traffic information control policy that allows access by defining rules on services to be allowed and blocks off the others. FDP_IFC.1(2) Subset information flow control(2) Hierarchical to: No other components Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1(2) The TSF shall enforce the [ SECUI NXG W Information flow permission policy ] on [ the following list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP: a) Subject: Unauthenticated Web client on the side of information sender b) Information: Web traffic sent from a subject to another place through the TOE c) Operation: Block when blocking rules exist, otherwise allow ] Application notes: This security policy is to cut off harmful traffic and unauthorized Web traffic by external IT entity based on signature included in vulnerability list data and is the policy to allow all connections with the exception of rules for explicit blocking. FDP_IFC.1(3) Subset information flow control(3) Hierarchical to: No other components 6. Security Requirements Security Target Confidential 39 Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1(3) TSF shall enforce the [ SECUI NXG W Information flow Web contents protection policy ] on [ the following list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP: a) Subject: Web server or Web application program on the side of information sender b) Information: Web contents sent from a subject to another place through the TOE c) Operation: Protect contents when protecting of Web contents rules in transforming, allowing and blocking, exists - Allow after transforming into the transferred data when transforming rules exist - Allow when allowing rules exist - Block when blocking rules exist ] Application notes: This security policy defines a rule to protect Web contents provided by the Web service and protect required data if it is specified to be protected. Contents protection rules include a rule to allow, block, and transform. Web contents can be an initial homepage, image, file, personal credit information(e.g. SSN, credit card number, etc.), comment in a Web page, an error page, server header information, etc. FDP_IFC.1(4) Subset information flow control(4) Hierarchical to: No other components Dependencies: FDP_IFF.1 Simple security attributes FDP_IFC.1.1(4) The TSF shall enforce [ SECUI NXG W Information flow packet filtering policy ] on [ the following list of subjects, information, and operations that cause controlled information to flow to and from controlled subjects covered by the SFP: a) Subject: IT entity on the side of information sender b) Information: Traffic sent from a subject to another place through the TOE c) Operation: Allow when allowing rules exist, block when blocking rules exist ] Application notes: This security policy is packet filtering policy to control flow of all packets that flows into or out of the TOE, which includes allowing and blocking rules. Also, it is in control of information flow of a packet by using packet direction and priority. 6.1.2.2. FDP_IFF Information flow control functions FDP_IFF.1(1) Simple security attributes(1) Hierarchical to: No other components Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1(1) The TSF shall enforce the [ SECUI NXG W Information flow denial policy ] on the following types of subject and information security attributes: a) [ List of subjects: Unauthenticated Web client on the side of information sender Subject security attributes: IP address Security Target 6.1. Security Functional Requirements 40 Confidential b) List of information: Web traffic sent from a subject to another place through the TOE Information security attributes: MIME, Method, Header ] FDP_IFF.1.2(1) The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: a) [ Permit an information flow if MIME, Method, and Header of the HTTP header of the Web traffic required by the Web client are included in the list of MIME, Method, and Header provided by the TOE. b) Permit an information flow if MIME, Method, and Header of the HTTP header of the Web traffic required by the Web client are registered by an administrator or by heuristics in the list of MIME, Method, and Header provided by the TOE. ] FDP_IFF.1.3(1) The TSF shall enforce the [ none ]. FDP_IFF.1.4(1) TSF shall explicitly authorize an information flow based on the following rules: [ none ] FDP_IFF.1.5(1) The TSF shall explicitly deny an information flow based on the following rules: [ none ] FDP_IFF.1(2) Simple security attributes(2) Hierarchical to: No other components Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1(2) The TSF shall enforce the [ SECUI NXG W Information flow permission policy ] based on the following types of subject and information security attributes: a) [ List of subjects: Unauthenticated Web client on the side of information sender Subject security attributes: IP address b) List of information: Web traffic sent from a subject to another place through the TOE Information security attributes: Web server address, cookie, cookie domain, HTTP request message(Method, Request-URI, Request Headers, URL) ] FDP_IFF.1.2(2) The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: a) [ Compare a cookie sent from a Web client with one stored in the Web session data, which contains issued information about the Web session cookie. Reject a session for the cookie that is used on an IP address other than issued ones or whose Web session cookie valid time is expired. b) Deny access request if HTTP Request Message is known to the TOE through heuristics or matches the following security policy of a Web server URL specified by an administrator: URL check, Header buffer overflow check, Password check, URL-based access control, URL 6. Security Requirements Security Target Confidential 41 extension check, GET query check, POST query check, Header method check, SQL injection protection, Cross-site scripting protection, Command injection protection, Hidden field manipulation protection, or Base64 encoding check rule. ] Application notes: Heuristics policy of a cookie and cookie domain can be divided into ‘Application of Default Domain policy to all traffics’ and ‘Application of Default Domain policy to unregistered domain traffics.’ In the case of ‘Application of Default Domain policy to all traffics,’ all cookies and cookie domains will be under application of the examination rules of Default Domain policy. In the case of ‘Application of Default Domain policy to unregistered domain traffics,’ the cookies and cookie domains added by heuristics or an administrator will follow the rule specified in each domain, while those not registered will follow the rules of Default Domain policy. Heuristics policy of a Web server address and URL can be divided into ‘Application of Default Server policy to all traffics,’ ‘Application of Default Server policy to unregistered server traffics,’ and ‘No applied policy to unregistered server traffics.’ In the case of ‘Application of Default Server policy to all traffics,’ all Web traffics monitored shall follow the rules of Default Server policy, otherwise rejected. In the case of ‘Application of Default Server policy to unregistered server traffics,’ the server traffics added by heuristics or an administrator will follow the rule specified in each server, while those not registered will follow the rules of Default Server policy. ‘No applied policy to unregistered server traffics’ is a policy used to monitor any traffic with no policy rules applied to the unregistered server traffics. FDP_IFF.1.3(2) The TSF shall enforce the [ following rule: a) [ When the SSL induction is in use, the TOE sends an HTTP response message that says access should be done by HTTPS to a Web client that made an HTTP request, so that the HTTP request will be denied. ] FDP_IFF.1.4(2) The TSF shall explicitly authorize an information flow based on the following rules: a) [ In case that exceptional IP address is defined, the TOE explicitly permits access if the address of a Web client that is trying to access is same with that defined as exceptional IP address. ] Application notes: The IP address of a Web server administrator shall be included in the exceptional IP addresses. FDP_IFF.1.5(2) The TSF shall explicitly deny an information flow based on the following rules: a) [ The TOE shall deny request for access if information sent from a Web client contains abnormal cookie structure. ] FDP_IFF.1(3) Simple security attributes(3) Hierarchical to: No other components Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1(3) The TSF shall enforce the [ SECUI NXG W Information flow Web contents protection policy ] based on the following types of subject and information security attributes: Security Target 6.1. Security Functional Requirements 42 Confidential a) [ List of subjects: Web server or Web application on the side of information sender Subject security attributes: IP address b) List of information: Web contents sent from a subject to another place through the TOE Information security attributes: MIME, HTTP Response Message(Response-Header, Entity-Header, Message-Body) ] FDP_IFF.1.2(3) The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: a) [The TOE transforms a requested information if a rule to transform among the Web contents examination rules(e.g. Error page handling, Comment removal, Server information cloaking, SSN protection, and Credit card number protection) applies to the contents such as MIME or HTTP Response Message that the Web server or Web application provides at the request of the Web client. b) The TOE shall allow access if a rule to allow among the Web contents examination rules(e.g. Forbidden word check, SSN protection, Credit card number protection, and checksum protection) applies to the contents such as MIME or HTTP Response Message that the Web server or Web application provides at the request of the Web client. c) The TOE shall deny access of a rule to block among the Web contents examination rules(e.g. Forbidden word check, SSN protection, Credit card number protection, and checksum protection) applies to the contents such as MIME or HTTP Response Message that the Web server or Web application provides at the request of the Web client. ] FDP_IFF.1.3(3) The TSF shall enforce the [ none ]. FDP_IFF.1.4(3) The TSF shall explicitly authorize an information flow based on the following rules: [ none ]. FDP_IFF.1.5(3) The TSF shall explicitly deny an information flow based on the following rules: [ none ]. FDP_IFF.1(4) Simple security attributes(4) Hierarchical to: No other components Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialization FDP_IFF.1.1(4) The TSF shall enforce the [ SECUI NXG W Information flow packet filtering policy ] based on the following types of subject and information security attributes: a) [ List of subjects: IT entity on the side of information sender Subject security attributes: IP address b) List of information: Traffic sent from a subject to another place through the TOE Information security attributes: IP address, netmask, port number, 6. Security Requirements Security Target Confidential 43 protocol, priority, packet direction ] FDP_IFF.1.2(4) The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: a) [ The TOE shall deny an information flow based on the IP address, netmask, port number, protocol, and packet direction of a destination that should be explicitly blocked according to the priority set up by an authorized administrator. b) The TOE shall permit an information flow based on the IP address, netmask, port number, protocol, and packet direction of a destination that should be explicitly allowed according to the priority set up by an authorized administrator. ] FDP_IFF.1.3(4) The TSF shall enforce the [ none ]. FDP_IFF.1.4(4) The TSF shall explicitly authorize an information flow based on the following rules: [ none ]. FDP_IFF.1.5(4) The TSF shall explicitly deny an information flow based on the following rules: [ none ]. 6.1.2.3. FDP_SDI Stored data integrity FDP_SDI.2 Stored data integrity monitoring and action Hierarchical to: FDP_SDI.1 Stored data integrity monitoring Dependencies: No dependencies FDP_SDI.2.1 The TSF shall monitor user data stored in containers controlled by the TSF for [ integrity errors ] on all objects, based on the following attributes: [ Types of MIME: text/plain, text/css, multipart/form-data, application/x- www-form-urlencoded, application/x-hwp, application/unknown, application/octet-stream, application/pdf, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x- shockwave-flash, message/http, image/bmp, image/gif, image/jpeg, video/mpeg, video/x-msvideo ] FDP_SDI.2.2 Upon detection of a data integrity error, the TSF shall [ take actions as described in the Table 6-6 Actions to be taken upon detection of an integrity error ]. Table 6-6 Actions to be Taken Upon Detection of an Integrity Error Action Description DROP To destroy requests for a packet, to send an email, to generate audit records Warning page To display a warning page set up by an administrator, to send an email, to generate audit records Redirect To redirect to a page that set up by an administrator, to send an email, to generate audit records Application notes: User data attributes, Web contents, include an initial homepage, image, and file. The TOE may specify the user data attributes as a MIME type; integrity monitoring should only be performed on the objects that have the specified attributes. Security Target 6.1. Security Functional Requirements 44 Confidential 6.1.3. Identification and Authentication (FIA) 6.1.3.1. FIA_AFL Authentication failures FIA_AFL.1 Authentication failure handling Hierarchical to: No other components Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when [ 3 ] unsuccessful authentication attempts occur related to [ administrator authentication attempts ]. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met, the TSF shall [ block login from the failed identifier(administrator ID) for the next 5 minutes ]. 6.1.3.2. FIA_ATD User attribute definition FIA_ATD.1(1) User attribute definition(1) Hierarchical to: No other components Dependencies: No dependencies FIA_ATD.1.1(1) The TSF shall maintain the following list of security attributes belonging to individual authorized administrator: a) [ Identifier b) Password c) Authority ] Application notes: Authorized administrators are comprised of a super administrator, server administrator, and user. ‘Authority’ among the security attributes means the permitted range of security functions that can be performed by each role. FIA_ATD.1(2) User attribute definition(2) Hierarchical to: No other components Dependencies: No dependencies FIA_ATD.1.1(2) The TSF shall maintain the following list of security attributes belonging to individual IT entities: [ IP address ] Application notes: An IT entity of the TSF refers to the equipment of an administrator who intends to access the TOE through identification. 6.1.3.3. FIA_UAU User authentication FIA_UAU.2 User authentication before any action Hierarchical to: FIA_UAU.1 Timing of authentication Dependencies: FIA_UID.1 Timing of identification FIA_UAU.2.1 The TSF shall require each administrator to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that administrator. 6. Security Requirements Security Target Confidential 45 FIA_UAU.7 Protected authentication feedback Hierarchical to: No other components Dependencies: FIA_UAU.1 Timing of authentication FIA_UAU.7.1 The TSF shall provide only [ input characters displayed as an asterisk (‘*’) ] to the administrator while the authentication is in progress. 6.1.3.4. FIA_UID User identification FIA_UID.2 User identification before any action Hierarchical to: FIA_UID.1 Timing of identification Dependencies: No dependencies FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 6.1.4. Security Management (FMT) 6.1.4.1. FMT_MOF Management of functions in TSF FMT_MOF.1(1) Management of security functions behavior(1) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of management Functions FMT_SMR.1 Security roles FMT_MOF.1.1(1) The TSF shall restrict the ability to disable, enable the functions [ of Table 6-7 List of functions(1) ] to [ the authorized administrator ]. Table 6-7 List of Functions(1) Function Authority Operate the function of system monitoring Super administrator Operate the function for each TOE information flow control rule Super administrator, server administrator Operate the function of automatic heuristics in Redirect server Super administrator, server administrator Operate the function of each Web server Super administrator, server administrator FMT_MOF.1(2) Management of security functions behavior(2) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of management Functions FMT_SMR.1 Security roles FMT_MOF.1.1(2) The TSF shall restrict the ability to enable the functions [ of Table 6-8 List of functions(2) ] to [ the authorized administrator ]. Security Target 6.1. Security Functional Requirements 46 Confidential Table 6-8 List of Functions(2) Function Authority Initialize the system configuration Super administrator Restart the services(TSF process) Super administrator Restart the system Super administrator Backup and recover the TOE configuration data Super administrator Execute the CLI commands Super administrator, server administrator, user Check the integrity Super administrator Print out reports Super administrator, server administrator, user FMT_MOF.1(3) Management of security functions behavior(3) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of management Functions FMT_SMR.1 Security roles FMT_MOF.1.1(3) The TSF shall restrict the ability to modify the behavior of the functions [ of Table 6-9 List of functions(3) ] to [ the authorized administrator ]. Table 6-9 List of Functions(3) Function Authority Define the operation mode of the TOE Super administrator Trail audit records Super administrator Set up the operation mode of the TOE automatic heuristics Super administrator, Server administrator Apply the security policy of a cookie domain Super administrator, Server administrator Apply the security policy of a cookie Super administrator, Server administrator Set up the operation mode of heuristics of a Web server URL Super administrator, Server administrator Apply the security policy of a Web server URL Super administrator, Server administrator Apply the monitoring traffic policy in automatic heuristics Super administrator, Server administrator Apply the non-monitoring traffic policy Super administrator, Server administrator Set up the operation mode of heuristics of each Web server Super administrator, Server administrator Apply the heuristics policy of each Web server Super administrator, Server administrator Whether to permit an abnormal Escape word Super administrator, Server administrator 6.1.4.2. FMT_MSA Management of security attributes FMT_MSA.1(1) Management of security attributes(1) Hierarchical to: No other components Dependencies: [ FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control ] FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MSA.1.1(1) The TSF shall enforce the [ SECUI NXG W Information flow denial policy ] to restrict the ability to query, modify, delete, [ generate, learn(collect data by 6. Security Requirements Security Target Confidential 47 heuristics) ] the security attributes [ in the Table 6-10 Management of security attributes(1) ] to [ the authorized administrator ]. Table 6-10 Management of Security Attributes(1) Security Attribute Authority MIME Super administrator, Server administrator Method Super administrator, Server administrator Header Super administrator, Server administrator FMT_MSA.1(2) Management of security attributes(2) Hierarchical to: No other components Dependencies: [ FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control ] FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MSA.1.1(2) The TSF shall enforce the [ SECUI NXG W Information flow permission policy ] to query, modify, delete, [ generate, learn(collect data by heuristics) ] the security attributes [ in the Table 6-11 Management of security attributes(2) ] to [ the authorized administrator ]. Table 6-11 Management of Security Attributes(2) Security Attribute Authority Web server address Super administrator, Server administrator Cookie Super administrator, Server administrator Cookie domain Super administrator, Server administrator URL Super administrator, Server administrator HTTP Request Message Super administrator, Server administrator FMT_MSA.1(3) Management of security attributes(3) Hierarchical to: No other components Dependencies: [ FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control ] FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MSA.1.1(3) The TSF shall enforce the [ SECUI NXG W Information flow Web contents protection policy ] to query, modify, delete, [ generate, learn(collect data by heuristics) ] the security attributes [ in the Table 6-12 Management of security attributes(3) ] to [ the authorized administrator ]. Table 6-12 Management of Security Attributes(3) Security Attribute Authority MIME Super administrator, Server administrator HTTP Response Message Super administrator, Server administrator FMT_MSA.1(4) Management of security attributes(4) Security Target 6.1. Security Functional Requirements 48 Confidential Hierarchical to: No other components Dependencies: [ FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control ] FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MSA.1.1(4) The TSF shall enforce the [ SECUI NXG W Information flow packet filtering policy ] to query, modify, delete, [ generate ] the security attributes [ in the Table 6-13 Management of security attributes(4) ] to [ the authorized administrator ]. Table 6-13 Management of Security Attributes(4) Security Attribute Authority Source IP address Super administrator Source netmask Super administrator Destination IP address Super administrator Destination port number Super administrator Priority Super administrator FMT_MSA.1(5) Management of security attributes(5) Hierarchical to: No other components Dependencies: [ FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control ] FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MSA.1.1(5) The TSF shall enforce the [ SECUI NXG W Information flow packet filtering policy ] to query, modify the security attributes [ packet direction, protocol ] to [ the authorized administrator ]. FMT_MSA.3 Static attribute initialization Hierarchical to: No other components Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.3.1 The TSF shall enforce the [ SECUI NXG W Information flow denial policy, SECUI NXG W Information flow permission policy, SECUI NXG W Information flow Web contents protection policy, SECUI NXG W Information flow packet filtering policy ] to provide restrictive default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [ super administrator, server administrator ] to specify alternative initial values to override the default values when an object or information is created. 6.1.4.3. FMT_MTD Management of TSF data FMT_MTD.1(1) Management of TSF data(1) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions 6. Security Requirements Security Target Confidential 49 FMT_SMR.1 Security roles FMT_MTD.1.1(1) The TSF shall restrict the ability to query the [ TSF data in the Table 6-14 List of TSF data(1) ] to [ the authorized administrator ]. Table 6-14 List of TSF Data(1) TSF Data Authority 권한 System status information Super administrator, Server administrator, User Information of real-time traffic status Super administrator, Server administrator, User Statistics of the TOP10 among blocked Web intrusion events Super administrator, Server administrator, User Real-time monitoring information of blocked Web intrusion events Super administrator, Server administrator, User Log search information of an audit review items for each type of audit event Super administrator, Server administrator, User Statistics of an audit for a specific period of time Super administrator, Server administrator, User Time information of the TOE Super administrator, Server administrator, User Time limit of an administrator session Super administrator, Server administrator, User Permitted number of login sessions Super administrator, Server administrator, User Number of concurrent sessions of super administrators Super administrator, Server administrator, User Administrator interface information Super administrator, Server administrator, User Information of the TOE network interface Super administrator, Server administrator, User Information of the TOE network Zone Super administrator, Server administrator, User Information of the TOE bridge interface Super administrator, Server administrator, User LLCF setup information Super administrator, Server administrator, User Address of each operation mode of the TOE network Super administrator, Server administrator, User Interface information of each operation mode of the TOE network Super administrator, Server administrator, User HA setup information Super administrator, Server administrator, User Routing configuration information Super administrator, Server administrator, User Address of other servers (DNS, NTP) Super administrator, Server administrator, User Configuration information of a host name Super administrator, Server administrator, User Warning page Super administrator, Server administrator, User Configuration information of a policy bypass for the purpose of administration Super administrator, Server administrator, User Configuration information of an administrator mail Super administrator, Server administrator, User Information about enabling audit functions and criteria of audit records trail Super administrator, Server administrator, User Site (automatic) heuristics setup information Super administrator, Server administrator, User Remote log server setup information Super administrator, Server administrator, User FMT_MTD.1(2) Management of TSF data(2) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MTD.1.1(2) The TSF shall restrict the ability to query, modify the [ TSF data in the Table 6-15 List of TSF data(2) ] to [ the authorized administrator ]. Table 6-15 List of TSF Data(2) TSF Data Authority Version and information of the TOE Super administrator Security Target 6.1. Security Functional Requirements 50 Confidential TSF Data Authority Time information of the TOE Super administrator Time limit of an administrator session Super administrator Permitted number of login sessions Super administrator Number of concurrent sessions of super administrators Super administrator Administrator interface information Super administrator Information of the TOE network interface Super administrator Information of the TOE network Zone Super administrator Information of the TOE bridge interface Super administrator LLCF setup information Super administrator Address of each operation mode of the TOE network Super administrator Interface information of each operation mode of the TOE network Super administrator Address of other servers (DNS, NTP) Super administrator Information about enabling audit functions and criteria of audit records trail Super administrator Remote log server setup information Super administrator HA setup information Super administrator, server administrator Configuration information of a policy bypass group for the purpose of administration Super administrator Configuration information of a policy bypass administrator email for the purpose of administration Super administrator URL property information of each Web server Super administrator, server administrator FMT_MTD.1(3) Management of TSF data(3) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MTD.1.1(3) The TSF shall restrict the ability to query, delete, [ generate ] the [ TSF data in the Table 6-16 List of TSF data(3) ] to [ the authorized administrator ]. Table 6-16 List of TSF Data(3) TSF Data Authority Setup information of each Web server heuristics: MIME list, Method list, and Header list Super administrator, server administrator Site (automatic) heuristics setup information Super administrator, server administrator FMT_MTD.1(4) Management of TSF data(4) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MTD.1.1(4) The TSF shall restrict the ability to change_default, query, modify, delete, [ generate, learn(collect data by heuristics) ] the [ TSF data in the Table 6-17 List of TSF data(4) ] to [ the authorized administrator ]. Table 6-17 List of TSF Data(4) TSF Data Authority Configuration information of SECUI NXG W Information flow Super administrator, server 6. Security Requirements Security Target Confidential 51 denial policy administrator Configuration information of SECUI NXG W Information flow permission policy Super administrator, server administrator Configuration information of SECUI NXG W Information flow Web contents protection policy Super administrator, server administrator FMT_MTD.1(5) Management of TSF data(5) Hierarchical to: No other components Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles FMT_MTD.1.1(5) The TSF shall restrict the ability to query, modify, delete, [ generate ] the [ TSF data in the Table 6-18 List of TSF data(5) ] to [ the authorized administrator ]. Table 6-18 List of TSF Data(5) TSF Data Authority Configuration information of an administrator mail Super administrator Warning page Super administrator Configuration information of a policy bypass for the purpose of administration Super administrator Information about identification and authentication of an administrator Super administrator, server administrator, user Configuration information of a host name Super administrator Routing configuration information Super administrator Configuration information of each Web server URL host Super administrator, server administrator IP address and Port configuration information of each Web server Super administrator, server administrator Configuration information of an SSL certificate Super administrator, server administrator Configuration information of SECUI NXG W Information flow packet filtering policy Super administrator FMT_MTD.2 Management of limits on TSF data Hierarchical to: No other components Dependencies: FMT_MTD.1 Management of TSF data FMT_SMR.1 Security roles FMT_MTD.2.1 The TSF shall restrict the specification of the limits for [ the TSF data in the Table 6-19 ] to [ the super administrator, server administrator ]. FMT_MTD.2.2 The TSF shall take the following actions, if the TSF data are at, or exceed, the indicated limits: [ actions in the Table 6-19 ] Table 6-19 Actions in Case of Reached or Exceeded TSF Data Limits TSF Data Limit Action Time limit of an administrator session 1~600(minutes) Terminate GUI and re-authenticate Permitted number of login sessions 1~256 Block access to GUI Cookie session timeout 60~86400(seconds) Terminate the cookie session HTTP header size 1024 ~ 16384 bytes Deny requested Web traffic, email an administrator, make an audit record Security Target 6.1. Security Functional Requirements 52 Confidential TSF Data Limit Action Display a warning message, email an administrator, make an audit record Redirect to a URL designated by an administrator, email an administrator, make an audit record Number of hidden SSN figures 1~13 Replace the figure with ‘*’ Number of hidden credit card number figures 1~16 Replace the figure with ‘*’ Number of GET query 1~9999 Deny requested query, email an administrator, make an audit record Display a warning message, email an administrator, make an audit record Redirect to a URL designated by an administrator, email an administrator, make an audit record Number of POST query 1~9999 Deny requested query, email an administrator, make an audit record Display a warning message, email an administrator, make an audit record Redirect to a URL designated by an administrator, email an administrator, make an audit record 6.1.4.4. FMT_SMF Specification of management functions FMT_SMF.1 Specification of management functions Hierarchical to: No other components Dependencies: No dependencies FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: a) [Functions specified in FMT_MOF.1 Management of security functions behavior b) Functions specified in FMT_MSA.1 Management of security attributes c) Functions specified in FMT_MSA.3 Static attribute initialization d) Functions specified in FMT_MTD.1 Management of TSF data e) Functions specified in FMT_MTD.2 Management of limits on TSF data ] 6.1.4.5. FMT_SMR Security management roles FMT_SMR.1 Security roles Hierarchical to: No other components Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles: a) [ Super administrator b) Server administrator c) User ] FMT_SMR.1.2 The TSF shall be able to associate authorized administrators with roles. 6. Security Requirements Security Target Confidential 53 6.1.5. Protection of the TSF (FPT) 6.1.5.1. FPT_FLS Fail secure FPT_FLS.1 Failure with preservation of secure state Hierarchical to: No other components Dependencies: No dependencies FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of failures occur: [ Irregular termination of an application process that comprises the TOE, error in a network circuit ] 6.1.5.2. FPT_TEE Testing of external entities FPT_TEE.1 Testing of external entities Hierarchical to: No other components Dependencies: No dependencies FPT_TEE.1.1 The TSF shall run a suite of tests during initial start-up, periodically during normal operation, [ at the restart of the TOE by an authorized administrator ] to check the fulfillment of [ the following properties of the external entities: Disk, Memory, CPU, each network interface ]. FPT_TEE.1.2 If the test fails, the TSF shall [ make an audit record about the failure of testing of external entities ]. 6.1.5.3. FPT_TST TSF self test FPT_TST.1 TSF testing Hierarchical to: No other components Dependencies: No dependencies FPT_TST.1.1 The TSF shall run a suite of self tests during initial start-up, at the request of the authorized administrator to demonstrate the correct operation of the TSF. FPT_TST.1.2 The TSF shall provide authorized administrators with the capability to verify the integrity of [ TSF configuration file, identification and authentication data ]. FPT_TST.1.3 The TSF shall provide authorized administrators with the capability to verify the integrity of stored TSF executable code. 6.1.6. Resource Utilization (FRU) 6.1.6.1. FRU_FLT Fault tolerance FRU_FLT.1 Degraded fault tolerance Hierarchical to: No other components Dependencies: FPT_FLS.1 Failure with preservation of secure state FRU_FLT.1.1 The TSF shall ensure the operation of [ restart of the application process Security Target 6.2. Security Assurance Requirements 54 Confidential that has been irregularly terminated, B-Master acting as Master to perform all activities of the TOE ] when the following failures occur: [ Types of TSF failures in FPT_FLS.1 ] 6.1.7. TOE Access (FTA) 6.1.7.1. FTA_SSL Session locking and termination FTA_SSL.3 TSF-initiated termination Hierarchical to: No other components Dependencies: No dependencies FTA_SSL.3.1 The TSF shall terminate an interactive session after [ 1~600 minutes of an administrator inactivity after identification of that administrator ]. 6.2. Security Assurance Requirements The security assurance requirement (SAR)s in this ST are composed of the assurance components from the CC Part 3. The targeted assurance level in this ST is EAL4. The following table shows the assurance components. Table 6-20 Security Assurance Requirements: EAL4 Assurance Class Assurance Component Security target evaluation ASE_INT.1 ST introduction ASE_ECD.1 Extended components definition ASE_CLL.1 Conformance claims ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ASE_TSS.1 TOE summary specification Development ADV_ARC.1 Security architecture description ADV_FSP.4 Complete functional specification ADV_IMP.1 Implementation representation of the TSF ADV_TDS.3 Basic modular design Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures Life cycle support ACL_CMC.4 Production support, acceptance procedures and automation ACL_CMS.4 Problem tracking CM coverage ACL_DEL.1 Delivery procedures ACL_DVS.1 Identification of security measures ACL_LCD.1 Developer defined life-cycle model ACL_TAT.1 Well-defined development tools Tests ATE_COV.2 Analysis of coverage ATE_DPT.2 Testing: security enforcing module ATE_FUN.1 Functional testing ATE_IND.2 Independent testing – sample Vulnerability assessment AVA_VAN.3 Focused vulnerability analysis 6. Security Requirements Security Target Confidential 55 6.2.1. Security Target Evaluation (ASE) 6.2.1.1. ASE_INT.1 ST introduction Dependencies: No dependencies Developer action elements ASE_INT.1.1D The developer shall provide an ST introduction. Content and presentation elements ASE_INT. 1.1C The ST introduction shall contain an ST reference, a TOE reference, a TOE overview and a TOE description. ASE_INT. 1.2C The ST reference shall uniquely identify the ST. ASE_INT. 1.3C The TOE reference shall identify the TOE. ASE_INT. 1.4C The TOE overview shall summarize the usage and major security features of the TOE. ASE_INT. 1.5C The TOE overview shall identify the TOE type. ASE_INT. 1.6C The TOE overview shall identify any non-TOE hardware/software/firmware required by the TOE. ASE_INT. 1.7C The TOE description shall describe the physical scope of the TOE. ASE_INT. 1.8C The TOE description shall describe the logical scope of the TOE. Evaluator action elements ASE_INT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ASE_INT.1.2E The evaluator shall confirm that the TOE reference, the TOE overview, and the TOE description are consistent with each other. 6.2.1.2. ASE_ECD.1 Extended components definition Dependencies: No dependencies Developer action elements ASE_ECD.1.1D The developer shall provide a statement of security requirements. ASE_ECD.1.2D The developer shall provide an extended components definition. Content and presentation elements ASE_ECD.1.1C The statement of security requirements shall identify all extended security requirements. ASE_ECD.1.2C The extended components definition shall define an extended component for each extended security requirement. ASE_ECD.1.3C The extended components definition shall describe how each extended component is related to the existing CC components, families, and classes. Security Target 6.2. Security Assurance Requirements 56 Confidential ASE_ECD.1.4C The extended components definition shall use the existing CC components, families, classes, and methodology as a model for presentation. ASE_ECD.1.5C The extended components shall consist of measurable and objective elements such that conformance or nonconformance to these elements can be demonstrated. Evaluator action elements ASE_ECD.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ASE_ECD.1.2E The evaluator shall confirm that no extended component can be clearly expressed using existing components. 6.2.1.3. ASE_CCL.1 Conformance claims Dependencies: ASE_INT.1 ST introduction ASE_ECD.1 Extended components definition ASE_REQ.1 Stated security requirements Developer action elements ASE_CCL.1.1D The developer shall provide a conformance claim. ASE_CCL.1.2D The developer shall provide a conformance claim rationale. Content and presentation elements ASE_CCL.1.1C The conformance claim shall contain a CC conformance claim that identifies the version of the CC to which the ST and the TOE claim conformance. ASE_CCL.1.2C The CC conformance claim shall describe the conformance of the ST to CC Part 2 as either CC Part 2 conformant or CC Part 2 extended. ASE_CCL.1.3C The CC conformance claim shall describe the conformance of the ST to CC Part 3 as either CC Part 3 conformant or CC Part 3 extended. ASE_CCL.1.4C The CC conformance claim shall be consistent with the extended components definition. ASE_CCL.1.5C The conformance claim shall identify all PPs and security requirement packages to which the ST claims conformance. ASE_CCL.1.6C The conformance claim shall describe any conformance of the ST to a package as either package-conformant or package-augmented. ASE_CCL.1.7C The conformance claim rationale shall demonstrate that the TOE type is consistent with the TOE type in the PPs for which conformance is being claimed. ASE_CCL.1.8C The conformance claim rationale shall demonstrate that the statement of the security problem definition is consistent with the statement of the security problem definition in the PPs for which conformance is being claimed. ASE_CCL.1.9C The conformance claim rationale shall demonstrate that the statement of security objectives is consistent with the statement of security objectives in the 6. Security Requirements Security Target Confidential 57 PPs for which conformance is being claimed. ASE_CCL.1.10CThe conformance claim rationale shall demonstrate that the statement of security requirements is consistent with the statement of security requirements in the PPs for which conformance is being claimed. Evaluator action elements ASE_CCL.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.1.4. ASE_OBJ.2 Security objectives Dependencies: ASE_SPD.1 Security problem definition Developer action elements ASE_OBJ.2.1D The developer shall provide a statement of security objectives. ASE_OBJ.2.2D The developer shall provide a security objectives rationale. Content and presentation elements ASE_OBJ.2.1C The statement of security objectives shall describe the security objectives for the TOE and the security objectives for the operational environment. ASE_OBJ.2.2C The security objectives rationale shall trace each security objective for the TOE back to threats countered by that security objective and OSPs enforced by that security objective. ASE_OBJ.2.3C The security objectives rationale shall trace each security objective for the operational environment back to threats countered by that security objective, OSPs enforced by that security objective, and assumptions upheld by that security objective. ASE_OBJ.2.4C The security objectives rationale shall demonstrate that the security objectives counter all threats. ASE_OBJ.2.5C The security objectives rationale shall demonstrate that the security objectives enforce all OSPs. ASE_OBJ.2.6C The security objectives rationale shall demonstrate that the security objectives for the operational environment uphold all assumptions. Evaluator action elements ASE_OBJ.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.1.5. ASE_REQ.2 Derived security requirements Dependencies: ASE_OBJ.2 Security objectives ASE_ECD.1 Extended components definition Developer action elements Security Target 6.2. Security Assurance Requirements 58 Confidential ASE_REQ.2.1D The developer shall provide a statement of security requirements. ASE_REQ.2.2D The developer shall provide a security requirements rationale. Content and presentation elements ASE_REQ.2.1C The statement of security requirements shall describe the SFRs and the SARs. ASE_REQ.2.2C All subjects, objects, operations, security attributes, external entities and other terms that are used in the SFRs and the SARs shall be defined. ASE_REQ.2.3C The statement of security requirements shall identify all operations on the security requirements. ASE_REQ.2.4C All operations shall be performed correctly. ASE_REQ.2.5C Each dependency of the security requirements shall either be satisfied, or the security requirements rationale shall justify the dependency not being satisfied. ASE_REQ.2.6C The security requirements rationale shall trace each SFR back to the security objectives for the TOE. ASE_REQ.2.7C The security requirements rationale shall demonstrate that the SFRs meet all security objectives for the TOE. ASE_REQ.2.8C The security requirements rationale shall explain why the SARs were chosen. ASE_REQ.2.9C The statement of security requirements shall be internally consistent. Evaluator action elements ASE_REQ.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.1.6. ASE_SPD.1 Security problem definition Dependencies: No dependencies Developer action elements ASE_SPD.1.1D The developer shall provide a security problem definition. Content and presentation elements ASE_SPD.1.1C The security problem definition shall describe the threats. ASE_SPD.1.2C All threats shall be described in terms of a threat agent, an asset, and an adverse action. ASE_SPD.1.3C The security problem definition shall describe the OSPs. ASE_SPD.1.4C The security problem definition shall describe the assumptions about the operational environment of the TOE. Evaluator action elements ASE_SPD.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.1.7. ASE_TSS.1 TOE summary specification 6. Security Requirements Security Target Confidential 59 Dependencies: ASE_INT.1 ST introduction ASE_REQ.1 Stated security requirements ADV_FSP.1 Basic functional specification Developer action elements ASE_TSS.1.1D The developer shall provide a TOE summary specification. Content and presentation elements ASE_TSS.1.1C The TOE summary specification shall describe how the TOE meets each SFR. Evaluator action elements ASE_TSS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ASE_TSS.1.2E The evaluator shall confirm that the TOE summary specification is consistent with the TOE overview and the TOE description. 6.2.2. Development (ADV) 6.2.2.1. ADV_ARC.1 Security architecture description Dependencies: ADV_FSP.1 Basic functional specification ADV_TDS.1 Basic design Developer action elements ADV_ARC.1.1D The developer shall design and implement the TOE so that the security features of the TSF cannot be bypassed. ADV_ARC.1.2D The developer shall design and implement the TSF so that it is able to protect itself from tampering by untrusted active entities. ADV_ARC.1.3D The developer shall provide a security architecture description of the TSF. Content and presentation elements ADV_ARC.1.1C The security architecture description shall be at a level of detail commensurate with the description of the SFR-enforcing abstractions described in the TOE design document. ADV_ARC.1.2C The security architecture description shall describe the security domains maintained by the TSF consistently with the SFRs. ADV_ARC.1.3C The security architecture description shall describe how the TSF initialization process is secure. ADV_ARC.1.4C The security architecture description shall demonstrate that the TSF protects itself from tampering. ADV_ARC.1.5C The security architecture description shall demonstrate that the TSF prevents bypass of the SFR-enforcing functionality. Security Target 6.2. Security Assurance Requirements 60 Confidential Evaluator action elements ADV_ARC.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.2.2. ADV_FSP.4 Complete functional specification Dependencies: ADV_TDS.1 Basic design Developer action elements ADV_FSP.4.1D The developer shall provide a functional specification. ADV_FSP.4.2D The developer shall provide a tracing from the functional specification to the SFRs. Content and presentation elements ADV_FSP.4.1C The functional specification shall completely represent the TSF. ADV_FSP.4.2C The functional specification shall describe the purpose and method of use for all TSFI. ADV_FSP.4.3C The functional specification shall identify and describe all parameters associated with each TSFI. ADV_FSP.4.4C The functional specification shall describe all actions associated with each TSFI. ADV_FSP.4.5C The functional specification shall describe all direct error messages that may result from an invocation of each TSFI. ADV_FSP.4.6C The tracing shall demonstrate that the SFRs trace to TSFIs in the functional specification. Evaluator action elements ADV_FSP.4.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ADV_FSP.4.2E The evaluator shall determine that the functional specification is an accurate and complete instantiation of the SFRs. 6.2.2.3. ADV_IMP.1 Implementation representation of the TSF Dependencies: ADV_TDS.3 Basic modular design ADV_TAT.1 Well-defined development tools Developer action elements ADV_IMP.1.1D The developer shall make available the implementation representation for the entire TSF. ADV_IMP.1.2D The developer shall provide a mapping between the TOE design description and the sample of the implementation representation. Content and presentation elements 6. Security Requirements Security Target Confidential 61 ADV_IMP.1.1C The implementation representation shall define the TSF to a level of detail such that the TSF can be generated without further design decisions. ADV_IMP.1.2C The implementation representation shall be in the form used by the development personnel. ADV_IMP.1.3C The mapping between the TOE design description and the sample of the implementation representation shall demonstrate their correspondence. Evaluator action elements ADV_IMP.1.1E The evaluator shall confirm that, for the selected sample of the implementation representation, the information provided meets all requirements for content and presentation of evidence. 6.2.2.4. ADV_TDS.3 Basic modular design Dependencies: ADV_FSP.4 Complete functional specification Developer action elements ADV_TDS.3.1D The developer shall provide the design of the TOE. ADV_TDS.3.2D The developer shall provide a mapping from the TSFI of the functional specification to the lowest level of decomposition available in the TOE design. Content and presentation elements ADV_TDS.3.1C The design shall describe the structure of the TOE in terms of subsystems. ADV_TDS.3.2C The design shall describe the TSF in terms of modules. ADV_TDS.3.3C The design shall identify all subsystems of the TSF. ADV_TDS.3.4C The design shall provide a description of each subsystem of the TSF. ADV_TDS.3.5C The design shall provide a description of the interactions among all subsystems of the TSF. ADV_TDS.3.6C The design shall provide a mapping from the subsystems of the TSF to the modules of the TSF. ADV_TDS.3.7C The design shall describe each SFR-enforcing module in terms of its purpose and interaction with other modules. ADV_TDS.3.8C The design shall describe each SFR-enforcing module in terms of its SFR- related interfaces, return values from those interfaces, interaction with and called interfaces to other modules. ADV_TDS.3.9C The design shall describe each SFR-supporting or SFR-non-interfering module in terms of its purpose and interaction with other modules. ADV_TDS.3.10CThe mapping shall demonstrate that all behavior described in the TOE design is mapped to the TSFIs that invoke it. Evaluator action elements ADV_TDS.3.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. Security Target 6.2. Security Assurance Requirements 62 Confidential ADV_TDS.3.2E The evaluator shall determine that the design is an accurate and complete instantiation of all security functional requirements. 6.2.3. Guidance Documents (AGD) 6.2.3.1. AGD_OPE.1 Operational user guidance Dependencies: ADV_FSP.1 Basic functional specification Developer action elements AGD_OPE.1.1D The developer shall provide operational user guidance. Content and presentation elements AGD_OPE.1.1C The operational user guidance shall describe, for each user role, the user- accessible functions and privileges that should be controlled in a secure processing environment, including appropriate warnings. AGD_OPE.1.2C The operational user guidance shall describe, for each user role, how to use the available interfaces provided by the TOE in a secure manner. AGD_OPE.1.3C The operational user guidance shall describe, for each user role, the available functions and interfaces, in particular all security parameters under the control of the user, indicating secure values as appropriate. AGD_OPE.1.4C The operational user guidance shall, for each user role, clearly present each type of security-relevant event relative to the user-accessible functions that need to be performed, including changing the security characteristics of entities under the control of the TSF. AGD_OPE.1.5C The operational user guidance shall identify all possible modes of operation of the TOE (including operation following failure or operational error), their consequences and implications for maintaining secure operation. AGD_OPE.1.6C The operational user guidance shall, for each user role, describe the security measures to be followed in order to fulfill the security objectives for the operational environment as described in the ST. AGD_OPE.1.7C The operational user guidance shall be clear and reasonable. Evaluator action elements AGD_OPE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.3.2. AGD_PRE.1 Preparative procedures Dependencies: No dependencies Developer action elements AGD_PRE.1.1D The developer shall provide the TOE including its preparative procedures. 6. Security Requirements Security Target Confidential 63 Content and presentation elements AGD_PRE.1.1C The preparative procedures shall describe all the steps necessary for secure acceptance of the delivered TOE in accordance with the developer's delivery procedures. AGD_PRE.1.2C The preparative procedures shall describe all the steps necessary for secure installation of the TOE and for the secure preparation of the operational environment in accordance with the security objectives for the operational environment as described in the ST. Evaluator action elements AGD_PRE.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AGD_PRE.1.2E The evaluator shall apply the preparative procedures to confirm that the TOE can be prepared securely for operation. 6.2.4. Life-Cycle Support (ALC) 6.2.4.1. ALC_CMC.4 Production support, acceptance procedures and automation Dependencies: ALC_CMS.1 TOE CM coverage ALC_DVS.1 Identification of security measures ALC_LCD.1 Developer defined life-cycle model Developer action elements ALC_CMC.4.1D The developer shall provide the TOE and a reference for the TOE. ALC_CMC.4.2D The developer shall provide the CM documentation. ALC_CMC.4.3D The developer shall use a CM system. Content and presentation elements ALC_CMC.4.1C The TOE shall be labelled with its unique reference. ALC_CMC.4.2C The CM documentation shall describe the method used to uniquely identify the configuration items. ALC_CMC.4.3C The CM system shall uniquely identify all configuration items. ALC_CMC.4.4C The CM system shall provide automated measures such that only authorised changes are made to the configuration items. ALC_CMC.4.5C The CM system shall support the production of the TOE by automated means. ALC_CMC.4.6C The CM documentation shall include a CM plan. ALC_CMC.4.7C The CM plan shall describe how the CM system is used for the development of the TOE. ALC_CMC.4.8C The CM plan shall describe the procedures used to accept modified or newly Security Target 6.2. Security Assurance Requirements 64 Confidential created configuration items as part of the TOE. ALC_CMC.4.9C The evidence shall demonstrate that all configuration items are being maintained under the CM system. ALC_CMC.4.10C The evidence shall demonstrate that the CM system is being operated in accordance with the CM plan. Evaluator action elements ALC_CMC.4.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.4.2. ALC_CMS.4 Problem tracking CM coverage Dependencies: No dependencies Developer action elements ALC_CMS.4.1D The developer shall provide a configuration list for the TOE. Content and presentation elements ALC_CMS.4.1C The configuration list shall include the following: the TOE itself; the evaluation evidence required by the SARs; the parts that comprise the TOE; the implementation representation; and security flaw reports and resolution status. ALC_CMS.4.2C The configuration list shall uniquely identify the configuration items. ALC_CMS.4.3C For each TSF relevant configuration item, the configuration list shall indicate the developer of the item. Evaluator action elements ALC_CMS.4.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.4.3. ALC_DEL.1 Delivery procedures Dependencies: No dependencies Developer action elements ALC_DEL.1.1D The developer shall document procedures for delivery of the TOE or parts of it to the consumer. ALC_DEL.1.2D The developer shall use the delivery procedures. Content and presentation elements ALC_DEL.1.1C The delivery documentation shall describe all procedures that are necessary to maintain security when distributing versions of the TOE to the consumer. Evaluator action elements ALC_DEL.1.1E The evaluator shall confirm that the information provided meets all 6. Security Requirements Security Target Confidential 65 requirements for content and presentation of evidence. 6.2.4.4. ALC_DVS.1 Identification of security measures Dependencies: No dependencies Developer action elements ALC_DVS.1.1D The developer shall produce development security documentation. Content and presentation elements ALC_DVS.1.1C The development security documentation shall describe all the physical, procedural, personnel, and other security measures that are necessary to protect the confidentiality and integrity of the TOE design and implementation in its development environment. Evaluator action elements ALC_DVS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ALC_DVS.1.2E The evaluator shall confirm that the security measures are being applied. 6.2.4.5. ALC_LCD.1 Developer defined life-cycle model Dependencies: No dependencies Developer action elements ALC_LCD.1.1D The developer shall establish a life-cycle model to be used in the development and maintenance of the TOE. ALC_LCD.1.2D The developer shall provide life-cycle definition documentation. Content and presentation elements ALC_LCD.1.1C The life-cycle definition documentation shall describe the model used to develop and maintain the TOE. ALC_LCD.1.2C The life-cycle model shall provide for the necessary control over the development and maintenance of the TOE. Evaluator action elements ALC_LCD.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.4.6. ALC_TAT.1 Well-defined development tools Dependencies: ADV_IMP.1 Implementation representation of the TSF Developer action elements ALC_TAT.1.1D The developer shall identify each development tool being used for the TOE. Security Target 6.2. Security Assurance Requirements 66 Confidential ALC_TAT.1.2D The developer shall document the selected implementation-dependent options of each development tool. Content and presentation elements ALC_TAT. 1.1C Each development tool used for implementation shall be well-defined. ALC_TAT. 1.2C The documentation of each development tool shall unambiguously define the meaning of all statements as well as all conventions and directives used in the implementation. ALC_TAT. 1.3C The documentation of each development tool shall unambiguously define the meaning of all implementation-dependent options. Evaluator action elements ALC_ TAT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.5. Tests (ATE) 6.2.5.1. ATE_COV.2 Analysis of coverage Dependencies: ADV_FSP.2 Security-enforcing functional specification ATE_FUN.1 Functional testing Developer action elements ATE_COV.2.1D The developer shall provide an analysis of the test coverage. Content and presentation elements ATE_COV.2.1C The analysis of the test coverage shall demonstrate the correspondence between the tests in the test documentation and the TSFIs in the functional specification. ATE_COV.2.2C The analysis of the test coverage shall demonstrate that all TSFIs in the functional specification have been tested. Evaluator action elements ATE_COV.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.5.2. ATE_DPT.2 Testing: security enforcing modules Dependencies: ADV_ARC.1 Security architecture description ADV_TDS.3 Basic modular design ATE_FUN.1 Functional testing Developer action elements ATE_DPT.2.1D The developer shall provide the analysis of the depth of testing. 6. Security Requirements Security Target Confidential 67 Content and presentation elements ATE_DPT.2.1C The analysis of the depth of testing shall demonstrate the correspondence between the tests in the test documentation and the TSF subsystems and SFR-enforcing modules in the TOE design. ATE_DPT.2.2C The analysis of the depth of testing shall demonstrate that all TSF subsystems in the TOE design have been tested. ATE_DPT.2.3C The analysis of the depth of testing shall demonstrate that the SFR-enforcing modules in the TOE design have been tested. Evaluator action elements ATE_DPT.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.5.3. ATE_FUN.1 Functional testing Dependencies: ATE_COV.1 Evidence of coverage Developer action elements ATE_FUN.1.1D The developer shall test the TSF and document the results. ATE_FUN.1.2D The developer shall provide test documentation. Content and presentation elements ATE_FUN.1.1C The test documentation shall consist of test plans, expected test results and actual test results. ATE_FUN.1.2C The test plans shall identify the tests to be performed and describe the scenarios for performing each test. These scenarios shall include any ordering dependencies on the results of other tests. ATE_FUN.1.3C The expected test results shall show the anticipated outputs from a successful execution of the tests. ATE_FUN.1.4C The actual test results shall be consistent with the expected test results. Evaluator action elements ATE_FUN.1.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. 6.2.5.4. ATE_IND.2 Independent testing – sample Dependencies: ADV_FSP.2 Security-enforcing functional specification AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing Security Target 6.2. Security Assurance Requirements 68 Confidential Developer action elements ATE_IND.2.1D The developer shall provide the TOE for testing. Content and presentation elements ATE_IND.2.1C The TOE shall be suitable for testing. ATE_IND.2.2C The developer shall provide an equivalent set of resources to those that were used in the developer's functional testing of the TSF. Evaluator action elements ATE_IND.2.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. ATE_IND.2.2E The evaluator shall execute a sample of tests in the test documentation to verify the developer test results. ATE_IND.2.3E The evaluator shall test a subset of the TSF to confirm that the TSF operates as specified. 6.2.6. Vulnerability Assessment (AVA) 6.2.6.1. AVA_VAN.3 Focused vulnerability analysis Dependencies: ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing functional specification ADV_TDS.3 Basic modular design ADV_IMP.1 Implementation representation of the TSF AGD_OPE.1 Operational user guidance AGE_PRE.1 Preparative procedures Developer action elements AVA_VLA.3.1D The developer shall provide the TOE for testing. Content and presentation elements AVA_VLA.3.1C The TOE shall be suitable for testing. Evaluator action elements AVA_VLA.3.1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence. AVA_VLA.3.2E The evaluator shall perform a search of public domain sources to identify potential vulnerabilities in the TOE. AVA_VLA.3.3E The evaluator shall perform an independent vulnerability analysis of the TOE using the guidance documentation, functional specification, TOE design, security architecture description and implementation representation to identify potential vulnerabilities in the TOE. AVA_VLA.3.4E The evaluator shall conduct penetration testing, based on the identified 6. Security Requirements Security Target Confidential 69 potential vulnerabilities, to determine that the TOE is resistant to attacks performed by an attacker possessing Enhanced-Basic attack potential. 6.3. Security Requirements Rationale This chapter demonstrates that the described security requirements are suitable to meet the security objectives and, consequently, to address security problem. 6.3.1. Security functional requirements rationale Security functional requirements rationale demonstrates that: Each security objective for the TOE is addressed by at least one security functional requirement. Each security functional requirement is addressed by at least one security objective. Table 6-21 shows a mapping between the security objectives and SFRs. Table 6-21 Mapping SFRs to the Security Objectives Security Objective SFR O.Availability O.Audit O.Management O.Abnormal_Web_Request_Cutoff O.Identification_And_Authentication O.Web_Contents_Protection O.TOE_Self_Protection O.Information_Flow_Control O.Heuristics O.TSF_Data_Protection FAU_ARP.1 X FAU_GEN.1 X FAU_GEN.2 X FAU_SAA.1 X FAU_SAR.1 X FAU_SAR.3 X FAU_STG.1 X FAU_STG.3 X FAU_STG.4 X FDP_IFC.1(1) X X FDP_IFC.1(2) X X FDP_IFC.1(3) X FDP_IFC.1(4) X FDP_IFF.1(1) X X Security Target 6.3. Security Requirements Rationale 70 Confidential Security Objective SFR O.Availability O.Audit O.Management O.Abnormal_Web_Request_Cutoff O.Identification_And_Authentication O.Web_Contents_Protection O.TOE_Self_Protection O.Information_Flow_Control O.Heuristics O.TSF_Data_Protection FDP_IFF.1(2) X X FDP_IFF.1(3) X FDP_IFF.1(4) X FDP_SDI.2 X FIA_AFL.1 X FIA_ATD.1(1) X FIA_ATD.1(2) X FIA_UAU.2 X FIA_UAU.7 X FIA_UID.2 X FMT_MOF.1(1) X FMT_MOF.1(2) X FMT_MOF.1(3) X FMT_MSA.1(1) X FMT_MSA.1(2) X FMT_MSA.1(3) X FMT_MSA.1(4) X FMT_MSA.1(5) X FMT_MSA.3 X X FMT_MTD.1(1) X FMT_MTD.1(2) X FMT_MTD.1(3) X FMT_MTD.1(4) X FMT_MTD.1(5) X FMT_MTD.2 X X FMT_SMF.1 X FMT_SMR.1 X FPT_TEE.1 X 6. Security Requirements Security Target Confidential 71 Security Objective SFR O.Availability O.Audit O.Management O.Abnormal_Web_Request_Cutoff O.Identification_And_Authentication O.Web_Contents_Protection O.TOE_Self_Protection O.Information_Flow_Control O.Heuristics O.TSF_Data_Protection FPT_FLS.1 X X FPT_TST.1 X X FRU_FLT.1 X FTA_SSL.3 X FAU_ARP.1 Security alarms This component satisfies O.Audit because it ensures an ability to take actions at the detection of security violations. FAU_GEN.1 Audit data generation This component satisfies O.Audit because it ensures an ability to define auditable events and generate audit records. FAU_GEN.2 User identity association This component satisfies O.Audit because it requires a user to be identified to define auditable events and associate each audit record with a user. FAU_SAA.1 Potential violation analysis This component satisfies O.Audit because it ensures an ability to indicate a security violation by monitoring the audited events. FAU_SAR.1 Audit review This component satisfies O.Audit because it ensures an ability of an authorized administrator to review the audit records. FAU_SAR.3 Selectable audit review This component satisfies O.Audit because it ensures an ability to search and sort audit data based on criteria with logical relations. FAU_STG.1 Protected audit trail storage This component satisfies O.Audit because it ensures an ability to protect the audit records from unauthorized modification or deletion. FAU_STG.3 Action in case of possible audit data loss This component satisfies O. Audit because it ensures an ability to take actions if the audit trail exceeds pre-defined limit. Security Target 6.3. Security Requirements Rationale 72 Confidential FAU_STG.4 Prevention of audit data loss This component satisfies O.Audit because it ensures an ability to take actions if the audit trail is full. FDP_IFC.1(1) Subset information flow control(1) This component satisfies O.Information_Flow_Control and O.Heuristics because it ensures that SECUI NXG W Information flow denial policy, which is defined based on the security attributes, will be enforced. FDP_IFC.1(2) Subset information flow control(2) This component satisfies O.Abnormal_Web_Request_Cutoff and O.Information_Flow_Control because it ensures that SECUI NXG W Information flow permission policy, which is defined based on the security attributes, will be enforced. FDP_IFC.1(3) Subset information flow control(3) This component satisfies O.Web_Contents_Protection because it ensures that SECUI NXG W Information flow Web contents protection policy, which is defined based on the security attributes, will be enforced. FDP_IFC.1(4) Subset information flow control(4) This component satisfies O.Information_Flow_Control because it ensures that SECUI NXG W Information flow packet filtering policy, which is defined based on the security attributes, will be enforced. FDP_IFF.1(1) Simple security attributes(1) This component satisfies O.Information_Flow_Control and O.Heuristics because it provides a rule to control information flow based on security attributes. FDP_IFF.1(2) Simple security attributes(2) This component satisfies O.Abnormal_Web_Request_Cutoff and O.Information_Flow_Control because it provides a rule to control information flow based on security attributes. FDP_IFF.1(3) Simple security attributes(3) This component satisfies O.Web_Contents_Protection because it provides a rule to control information flow based on security attributes. FDP_IFF.1(4) Simple security attributes(4) This component satisfies O.Information_Flow_Control because it provides a rule to control information flow based on security attributes. FDP_SDI.2 Stored data integrity monitoring and action This component satisfies O.Web_Contents_Protection because it monitors integrity of the Web contents stored in an external IT entity and provides an appropriate action. FIA_AFL.1 Authentication failure handling This component satisfies O.Identification_And_Authentication because it defines the number of unsuccessful authentication attempts of an administrator to be detected and provides an ability to take actions when the defined number is met or surpassed, thus ensures that an administrator cannot access the GUI administrator console without authentication. FIA_ATD.1(1) User attribute definition(1) This component satisfies O.Identification_And_Authentication because it requires identification and authentication of each authorized administrator. 6. Security Requirements Security Target Confidential 73 FIA_ATD.1(2) User attribute definition(2) This component satisfies O.Identification_And_Authentication because it requires identification and authentication of each user. FIA_UAU.2 User authentication before any action This component satisfies O.Identification_And_Authentication because it ensures an ability to authenticate an authorized administrator successfully. FIA_UAU.7 Protected authentication feedback This component O.Identification_And_Authentication because it ensures that only a specified identification and authentication feedback will be provided to a user while the identification and authentication are in progress. FIA_UID.2 User identification before any action This component satisfies O.Identification_And_Authentication because it ensures an ability to identify a user successfully. FMT_MOF.1(1) Management of security functions(1) This component satisfies O.Management because it ensures that an authorized administrator is able to manage the security functions. FMT_MOF.1(2) Management of security functions(2) This component satisfies O.Management because it ensures that an authorized administrator is able to manage the security functions. FMT_MOF.1(3) Management of security functions(3) This component satisfies O.Management because it ensures that an authorized administrator is able to manage the security functions. FMT_MSA.1(1) Management of security attributes(1) This component satisfies O.Management because it ensures that an authorized administrator manages the security attributes based on which the information flow control policies are applied. FMT_MSA.1(2) Management of security attributes(2) This component satisfies O.Management because it ensures that an authorized administrator manages the security attributes based on which the information flow control policies are applied. FMT_MSA.1(3) Management of security attributes(3) This component satisfies O.Management because it ensures that an authorized administrator manages the security attributes based on which the information flow control policies are applied. FMT_MSA.1(4) Management of security attributes(4) This component satisfies O.Management because it ensures that an authorized administrator manages the security attributes based on which the information flow control policies are applied. FMT_MSA.1(5) Management of security attributes(5) This component satisfies O.Management because it ensures that an authorized administrator manages the security attributes based on which the information flow control policies are applied. FMT_MSA.3 Static attribute initialization This component satisfies O.Management and O.Abnormal_Web_Request_Cutoff because it provides initial values of the security attributes on which the information flow control policies apply. Security Target 6.3. Security Requirements Rationale 74 Confidential FMT_MTD.1(1) Management of TSF data(1) This component satisfies O.Management because it ensures that only an authorized administrator can manage the TSF data related to security. FMT_MTD.1(2) Management of TSF data(2) This component satisfies O.Management because it ensures that only an authorized administrator can manage the TSF data related to security. FMT_MTD.1(3) Management of TSF data(3) This component satisfies O.Management because it ensures that only an authorized administrator can manage the TSF data related to security. FMT_MTD.1(4) Management of TSF data(4) This component satisfies O.Management because it ensures that only an authorized administrator can manage the TSF data related to security. FMT_MTD.1(5) Management of TSF data(5) This component satisfies O.Management because it ensures that only an authorized administrator can manage the TSF data related to security. FMT_MTD.2 Management of limits on TSF data This component satisfies O.Management and O.Identification_And_Authentication because it ensures that an authorized administrator defines limits for the number of failed authentication attempts and that actions will be taken if the limits are reached. FMT_SMF.1 Specification of Management Functions This component satisfies O.Management because it requires the specification of the security management functions of the security attributes, TSF data, and security functions that the TSF shall enforce. FMT_SMR.1 Security roles This component satisfies O.Management because it provides roles related to security that the TSF can recognize. FPT_TEE.1 Testing of external entities This component satisfies O.TOE_Self_Protection because it ensures that testing of external entities is performed to demonstrate the correct operation of the external entities of the TSF. FPT_FLS.1 Failure with preservation of secure state This component satisfies O.Availability and O.TOE_Self_Protection because it ensures that the TOE preserves secure state for the operation of important security functions. FPT_TST.1 TSF testing This component satisfies O.TOE_Self_Protection and O.TSF_Data_Protection because it ensures self tests of the TSF to demonstrate the correct operation of the TSF and a function that an authorized administrator verifies the integrity of the TSF data and TSF executable code. FRU_FLT.1 Degraded fault tolerance This component satisfies O.Availability because it ensures that the TOE maintains important security functions in case of failure and performs information flow control. FTA_SSL.3 TSF-initiated termination This component satisfies O.Management because it requires a function to terminate an 6. Security Requirements Security Target Confidential 75 authorized session after a defined time of an authorized administrator’s inactivity. 6.3.2. Security assurance requirements rationale The evaluation assurance level of this Web application firewall is EAL4. EAL4, which requires methodical design, test, and review, permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, though rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security-specific engineering costs. EAL4 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and complete interface specification, guidance documentation, a description of the basic modular design of the TOE, and a subset of the implementation, to understand the security behavior. The analysis is supported by independent testing of the TSF, evidence of developer testing based on the functional specification and TOE design, selective independent confirmation of the developer test results, and a vulnerability analysis (based upon the functional specification, TOE design, implementation representation, security architecture description and guidance evidence provided) demonstrating resistance to penetration attackers with an Enhanced-Basic attack potential. 해 뒷받침된다. 6.4. Dependencies rationale 6.4.1. Dependencies between the SFRs No. Functional component Dependencies Reference no. 1 FAU_ARP.1 FAU_SAA.1 4 2 FAU_GEN.1 FPT_STM.1 - 3 FAU_GEN.2 FAU_GEN.1 FIA_UID.1 2 17 4 FAU_SAA.1 FAU_GEN.1 2 5 FAU_SAR.1 FAU_GEN.1 2 6 FAU_SAR.3 FAU_SAR.1 5 7 FAU_STG.1 FAU_GEN.1 2 8 FAU_STG.3 FAU_STG.1 7 9 FAU_STG.4 FAU_STG.1 7 10 FDP_IFC.1 FDP_IFF.1 11 11 FDP_IFF.1 FDP_IFC.1 FMT_MSA.3 10 20 12 FDP_SDI.2 - - 13 FIA_AFL.1 FIA_UAU.1 15 14 FIA_ATD.1 - - 15 FIA_UAU.2 FIA_UID.1 17 Security Target 6.4. Dependencies rationale 76 Confidential No. Functional component Dependencies Reference no. 16 FIA_UAU.7 FIA_UAU.1 15 17 FIA_UID.2 - - 18 FMT_MOF.1 FMT_SMF.1 FMT_SMR.1 23 24 19 FMT_MSA.1 [ FDP_ACC.1 또는 FDP_IFC.1 ] FMT_SMF.1 FMT_SMR.1 10 23 24 20 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 19 24 21 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 23 24 22 FMT_MTD.2 FMT_MTD.1 FMT_SMR.1 21 24 23 FMT_SMF.1 - - 24 FMT_SMR.1 FIA_UID.1 17 25 FPT_TEE.1 - - 26 FPT_FLS.1 - - 27 FPT_TST.1 - - 28 FRU_FLT.1 FPT_FLS.1 26 29 FTA_SSL.3 - - FAU_GEN.2, FIA_UAU.2, and FMT_SMR.1 are dependent on FIA_UID.1, which is satisfied by including FIA_UID.2 that is hierarchical to FIA_UID.1. FIA_AFL.1 and FIA_UAU.7 are dependent on FIA_UAU.1, which is satisfied by including FIA_UAU.2 that is hierarchical to FIA_UAU.1. FAU_GEN.1 is dependent on FPT_STM.1, which is satisfied by OE.Time_Stamp as the TOE uses trusted time stamp provided in the operational environment to record security-relevant events correctly. 6.4.2. Dependencies between the SARs Dependencies in each assurance package provided in the CC are considered satisfied. 7. TOE summary specification Security Target Confidential 77 7. TOE summary specification This chapter describes the IT security functions that satisfy the functional requirements and how the security functions satisfy the TOE security functional requirements. 7.1. Security Audit (SW_AUDIT) 7.1.1. Audit record generation (SW_AUDIT_GEN) Audit generation and protection can generate audit records regarding the following: z Start-up and shutdown of the audit functions z Actions taken due to potential security violations z Enabling and disabling of any of the analysis mechanisms; Automated responses performed by the tool z Decisions to permit requested information flows z Reaching the threshold for the unsuccessful authentication attempts, actions taken and, if appropriate, the subsequent restoration to the normal state z Unsuccessful use of the authentication mechanism z Unsuccessful use of the user identification mechanism, including the user identity provided z Use of the management functions z Modifications to the group of users that are part of a role z Integrity errors z Termination of an interactive session by the session locking mechanism z Successful attempts to check the integrity of user data, including an indication of the results of the check z Any failure detected by the TSF The following are audit records additional to those generated on the auditable events above: z Decisions to permit requested information flows: Identification information of an object and a decision to deny z Actions taken due to potential security violations: Identity of a recipient of those actions For the auditable events above, each audit record includes at least: z Date and time of the event z Event type z Subject identity z Outcome(either success or failure) of the event Date and time of the event clearly identify the time, date, month, and year on which the event happened. Audit records for each type of audit log are categorized into Allowed transaction log, Denied transaction log, IP firewall log, audit log (configuration log), and system log; generation of each audit record may either be included or excluded. For each type of audit log, audit record is generated in the following log fields. An audit record can verify the user identity required by FAU_GEN.2. Security Target 7.1. Security Audit (SW_AUDIT) 78 Confidential Allowed/denied transaction log is the audit record about the attack types of Web intrusion. Table 7-1 and 7-2 show the log fields. Table 7-1 Allowed Transaction Log Fields Field Description Time Shows date and time Server Information Shows server information Server Port Shows server Port Client IP Shows IP address of a Web client that tried to access the protected Web server URL Shows information of a URL that a Web client accessed Table 7-2 Denied Transaction Log Fields Field Description Time Shows date and time Server Information Shows server information Server Port Shows server Port Attacker IP Shows IP address from which attack has been tried against the protected Web server Attack Type Shows the attack type of Web intrusion Warning Level Shows ‘Minor’ in case of allowed transaction; shows ‘Major’ in case of denied transaction Result Shows the result of an attack – either allowed, denied, or Redirect URL Shows information of a detected URL IP firewall log is an audit record about allowed or blocked packets as a result of packet filtering. Table 7-3 shows its log fields. Table 7-3 IP Firewall Log Fields Field Description Time Shows date and time Source IP Show the source IP address Source Port Show the source port number Destination IP Show the destination IP address Destination Port Show the destination port number Protocol Shows the type of protocol used in packet filtering Policy ID Show the ID of packet filtering rules Allow/Deny Show the result of allowed or denied packets Audit log, or configuration log, is an audit record about management behavior of the TOE on the GUI or CLI administrator console. Table 7-4 shows its log fields. Table 7-4 Audit Log(Configuration Log) Fields Field Description Time Shows date and time Command Shows the commands enforced by an administrator Source ID Shows a subject ID that generates a configuration log Destination ID Shows an object ID on which a configuration log is generated 7. TOE summary specification Security Target Confidential 79 Field Description Result Shows the result of an administrator’s behavior Warning Level Shows the priority of each configuration log User ID Shows a user ID of each configuration log System log is an audit record about integrity violation that can occur under the TOE operation mode such as the TOE self testing or testing of external entities and about all kinds of failure detected by the TSF. Table 7-5 shows its log fields. Table 7-5 System Log Fields Field Description Time Shows date and time Warning Level Shows the priority of each system log Message Shows a detailed description of each system log Compression of audit records can be by every 50M, 100M, 500M, or 1G. If Syslog server is defined, the audit record files can be transferred remotely. The TOE is able to indicate, by FAU_SAA.1, a potential violations analysis using the following information: Table 7-6 Target of Potential Violation Analysis 9 Accumulation of administrator authentication failure 9 Accumulation of audit events of information flow control rule violation 9 Accumulation of audit events of TSF data and executable code integrity violation Table 7-7 shows the audit events of information flow control rule violation. Table 7-7 Audit Event of Information Flow Control Rule Violation Information Flow Control Rule Audit Event of a Rule Violation SECUI NXG W Information flow denial policy Audit event where an audit record is generated that information requested by a Web client is considered an attack because it does not match the cookie domain, cookie, virtual Web server, and URL list that are registered by the TOE through heuristics. SECUI NXG W Information flow permission policy Audit event where an audit record is generated that information requested by a Web client is considered an attack because it matches the block-rule that the TSF provides based on the Web server, cookie, and HTTP Request Message registered by the TOE through heuristics. SECUI NXG W Information flow Web contents protection policy Audit event where an audit record is generated that information requested by a Web client is considered an attack because it matches the MIME attribute provided by the protected Web server and a rule to protect contents – to transform, allow, or block. If any of those events in the Table 7-6 is considered by FAU_ARP.1 as a potential violation, an email will be sent to an address registered by an administrator through the GUI administrator console. 7.1.2. Audit record review (SW_AUDIT_REVIEW) According to FAU_SAR.1, an administrator can review all audit data that are translated into Security Target 7.2. Identification and Authentication (SW_INA) 80 Confidential readable form with network connection through the GUI administrator console. Audit trail results are provided in a report form to be interpreted easily. The TOE provides a report function that makes chart and graph of daily, weekly, monthly, and yearly statistics about top-listed attacks and prints out the result in a report format in a PDF or Excel file. According to FAU_SAR.3, an administrator also can review audit data after filtering it with a defined rule or with a specific criteria with logical relations (using audit review items). Types of auditable events that allow review are Web intrusion block event, Packet filtering rule check event, Security management behavior event, and TOE self test and TSF failure detection event. These can be reviewed for the following types of events in the Table 7-8 if Audit data generation enables audit function on the Allowed/denied transaction log, IP firewall log, audit log(configuration log), and system log. Table 7-8 Audit Review Criteria Type of Auditable Event Audit review item Criteria Allowed transaction log URL, Period setting, Client IP, Server information • Search by keywords for each audit review item. • Search by for more than one audit review item and in condition ‘AND’ Denied transaction log Warning level, URL, Period setting, Attacker IP, Server information, Result, Attack type IP firewall log Period setting, Source IP, Source port, Destination IP, Destination port, Protocol, Policy ID, Action Audit log (Configuration log) Period setting, Source ID, Destination ID, User ID System log Warning level, 7.1.3. Audit record protection (SW_AUDIT_PROTECT) According to FAU_STG.1, the TOE generates an audit record in a binary type, not a normal text file. Log does not allow MODIFY but READ right only. The TOE therefore can prevent modification of the audit records. According to FAU_STG.3, the TOE checks audit storage every 10 seconds and, if more than the capacity that the administrator defined(55~100%) of the file system in which audit data is stored is used, send an alarm email to an authorized administrator. According to FAU_STG.4, the TOE sends an alarm email to an administrator if the audit storage is full (more than 99% of the capacity is being used) and starts deleting the oldest audit record. Therefore the authorized administrator shall manage the capacity of audit data trail carefully and delete audit records using the GUI administrator console (system configuration initialization and log backup) if the audit data threshold is passed. 7.2. Identification and Authentication (SW_INA) 7.2.1. Administrator group generation and administrator registration (SW_INA_REGISTER) When an administrator wants to use the GUI administrator console or access the TOE through the CLI administrator console, the administrator shall be identified and authenticated. When the TOE is enabled, an administrator can access the TOE and log in with the administrator 7. TOE summary specification Security Target Confidential 81 information set as a default values from the point of delivery. The TOE allows its administrator to define an administrator group and manage it for each Web server and domain separately, which is necessary for the management of many different Web servers and domains. The TOE can register an administrator in the administrator group through the GUI administrator console. The following information will be needed to register an administrator. • User ID: Input administrator ID (Valid from 4 to 32 bytes) • Password: Input password (Valid from 4 to 32 bytes) • Re-enter password: Input password again • Name: Input administrator name • Email: Input administrator email address • Tel. no.: Input administrator’s phone number • Other: Input other information • Level: Set administrator level (See Table 7-15 Authorized administrator roles) • Group list: Select administrator group Authority of administrator is categorized into a super administrator, server administrator, and user. Management of administrators is only possible by a super administrator. 7.2.2. Administrator identification and authentication (SW_INA_AUTH) All accesses to the TOE are through the GUI or CLI administrator console. The TOE provides a function to identify and authenticate an administrator before any action (FIA_UID.2, FIA_UAU.2). Identification and authentication of an administrator use password based process. Information of the ID (identifier), password, and authority are stored in the TOE file system according to FIA_ATD.1(1) and used for confirmation of the ID and password an authorized administrator will input when accessing the GUI administrator console. Access will be allowed only when the values match the stored data. According to FIA_ATD.1(2), the TOE identifies an external IT entity accessing the protected Web server and checks whether it is authorized using an IP address. If an IT entity that is not registered by an authorized administrator accesses a specific URL of the protected Web server, the TOE identifies it and generates an audit record. An administrator cannot enforce any security functions before authentication. While authentication is in progress, the password input by a user will be displayed as ‘*’ according to FIA_UAU.7 to protect authentication data. In case of authentication failure, the TOE will display a login failure message. According to FIA_AFL.1, when an authentication attempt fails three consecutive times, the TOE will block login access from the failed administrator ID for the next 5 minutes. 7.3. User Data Protection (SW_DP) The TSF applies SECUI NXG W Information flow denial policy, SECUI NXG W Information flow permission policy, SECUI NXG W Information flow Web contents protection policy, and SECUI NXG W Information flow packet filtering policy on operations causing information flow between a Security Target 7.3. User Data Protection (SW_DP) 82 Confidential subject and information, which sends and receives information through the TOE. 7.3.1. Web server attack protection (SW_DP_AP) Web server attack protection is comprised of Web server data learning, Web server data protection, and Service contents protection. Actual security actions will be taken based on the violation detected by Web server data protection and Service contents protection. An administrator can select an action to be taken upon detection of security attributes violation on the objects to be protected by the TOE among the following: − LOG − Drop − Sending a warning page − Page redirection (Redirection) − Emailing an administrator − Replacing characters 7.3.1.1. Web server data learning (SW_DP_AP_LEARN) The TOE monitors the protected Web server for the request of a Web client for a specific period of time and, based on collected Web traffic data, builds a Web tree database. Web traffic data collected during monitoring, such as MIME, Method, or Header information, will be registered either automatically by heuristics or manually by an administrator, so that it can be used in SECUI NXG W Information flow denial policy defined in FDP_IFC.1(1) and FDP_IFF.1(1). The TOE collects the following types of Web traffic data as security attributes defined in FDP_IFF.1(1): z MIME(Multi-Purpose Internet Mail Extensions) z Method z Header MIME is an advanced protocol that enables transmission of various types of data files on HTTP protocol that allows processing of ASCII data only. When a Web server sends traffic after establishing MIME header, a client will receive it and selects an appropriate application to review the data according to the data type set up by the Web server. If there is no MIME established, the Web traffic will be blocked. The TOE provides the following list of MIMEs: y Types of MIME: text/html, text/plain, text/css, text/xml, multipart/form-data, application/x-ww-form-urlencoded, application/x-hwp, application/unknown, application/octet-stream, application/pdf, application/vnd.ms-excel, application/vnd.ms- powerpoint, application/msword, application/x-shockwave-flash, message/http, image/bmp, image/gif, image/jpeg, video/mpeg, video/x-msvideo Method means how to request a URL on HTTP protocol. A Method name will be registered at the same time with the Web server data heuristics, which will mostly be about GET and POST. If a Method name is not registered, the Web traffic will be blocked. Header refers to a method with which a client makes request to a server or a server responds to a client. If Header is not defined, all request data and response data of all Web traffics will be blocked. The TOE provides the following list of Headers: y Types of Header: Accept, Accept-Charset, Accept-Encoding, Accept-Language, Accept-Ranges, Age, Allow, Authorization, Cache-Control, Connection, Content- Encoding, Content-Language, Content-Length, Content-Type, Cookie, Cookie2, Date, ETag, Expires, Host, If-Modified-Since, If-Match, If-None-Match, If-Range, If- 7. TOE summary specification Security Target Confidential 83 Unmodified-Since, Last-Modified, Location, Pragma, Proxy-Authenticate, Proxy- Authorization, Proxy-Connection, Range, Referer, Retry-After, Server, Set-Cookie, Set- Cookie2, TE, Transfer-Encoding, UA-CPU, User-Agent, WWW-Authenticate, X- Forwarded-For 7.3.1.2. Web server data protection (SW_DP_AP_PROTECT) The TOE can perform intrusion detection and protection on the protected Web server by analyzing types of Web intrusion exploiting vulnerabilities of the Web based on the Web traffic data collected by Web server data learning(SW_DP_AP_LEARN). To this end, an authorized administrator of the TOE should set up a policy to be applied according to FDP_IFC.1(2) and FDP_IFF.1(2). Checking Web traffic is based on a thorough analysis of a source IP address, destination IP address, and HTTP protocol. Attack pattern will be checked in accordance with the policies set by each module composed as a countermeasure against the top 10 vulnerabilities defined by OWASP(Open Web Application Security Project, www.owasp.org) (2007). Packets generated by the TOE and those delivered to a Web server that is not protected are not related to the security functions. Security functions applied for Web server attack protection are listed below: Base64 encoding check If an external user transfers data that did not use base64 encoding method while the policy is established that any query transferred to the Web server should use base64 encoding method, the TOE performs security behaviors(i.e. LOG, Drop, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Command injection protection The TOE checks if an external user uses command on the Web server using a query or cookie data or reads a data file stored in the system and, if it is the case, performs security behaviors (i.e. LOG, Drop, page redirection, sending a warning page, emailing an administrator, or replacing characters) as set by an administrator. Command injection protection includes protection against null injection. Cookie corruption check If a stolen cookie value is detected or an unauthorized cookie (domain) is transferred from the Web server through an analysis, the TOE provides functions to protect cookies. Cookie policy can be categorized into data protection policy and data security policy. Data protection policy (shown in the Table 7-9) is for protection against manipulation of cookie data. Cookie encryption, which uses SHA-2(256 bits) algorithm, is to prevent illegal access by cookie manipulation. Session cookie is to check if a user of cookie on a current session is an owner of the cookie made by the Web server and protect against cookie manipulation attack, i.e. replay attack, consequently maintaining a cookie session for a period of time defined by an administrator. Cookie heuristics is used to monitor and register a new cookie. If appropriate, the TOE will perform security behaviors (i.e. LOG, Drop, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Table 7-9 Cookie Policy: Data Protection Policy Policy Action Encryption Check / Do not check Session cookie Check / Do not check Cookie heuristics Check / Do not check Data security policy is for protection against Web server attacks using a cookie. As listed in the Table 7-10, it includes command injection protection, cross-site scripting protection, and SQL Security Target 7.3. User Data Protection (SW_DP) 84 Confidential injection protection. Table 7-10 Cookie Policy: Data Security Policy Policy Action Command injection protection Check / Do not check Script injection protection Check / Do not check 검사 또는 검사 안함 SQL injection protection Check / Do not check Note that data security policy is applied according to the setting of command injection protection, cross-site scripting protection, and SQL injection protection. Cross-site scripting protection The TOE checks if an external user intends to operate a malicious HTML tag or script on his Web browser or another’s Web browser that displayed a Web page and, if any violation is detected, performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Header buffer overflow check If an external user attempts to transfer a header of a bigger size than specified by an administrator to cause an error in the Web server, the TOE performs security behaviors (i.e. LOG, Drop, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Header method check If a method of an accessing URL is not one of the header methods that are allowed for each URL or learnt to be allowed, the TOE performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Hidden field manipulation protection If an external user manipulates a hidden field into the Web server using POST query, the TOE performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Password check The TOE analyzes password of an external user accessing the Web server and, if vulnerability is detected, performs security behaviors (i.e. LOG, Drop, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Policy bypass for the purpose of administration (IP address explicitly allowed without applying a policy) check When a protected Web server is registered on the TOE through heuristics and its IP address is set as an exceptionally allowed one in the policy bypass for the purpose of administration, the Web server administrator can perform functions on the Web page. That is, the Web server administrator who accesses a certain IP address that is defined as an explicitly allowed address can access the protected Web server without the information flow control policies of the TOE being applied. Query check The TOE analyzes query of an external user accessing the Web server and performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator if its number exceeds the limit for each URL, its phrase does not match the rule, the URL does not include a core query for each URL, or it matches the query value check pattern. Query check 7. TOE summary specification Security Target Confidential 85 SQL injection protection The TOE checks if an external user causes an SQL error to enforce SQL command randomly on the Web server and, if it is the case, performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, emailing an administrator, or replacing characters) as set by an administrator. SSL induction The TOE shall protect data being transferred between a Web client and the Web server protected by the TOE using SSL protocol as specified by SECUI NXG W Information flow permission policy. When SSL induction is in use, it will first confirm that the requested URL on the Web browser needs to be protected by SSL and, if the request is using HTTP, send a response message that says access should be done by HTTPS. URL-based access control The TOE checks an IP address and network of an external user accessing the Web server and, on the sessions denied by an administrator, performs security behaviors (i.e. LOG, Drop page redirection, sending a warning page, or emailing an administrator) as set by the administrator. URL check If a domain name in a protected Web server is defined by an administrator as an alias, the TOE will interpret the domain information and collect Web traffic data of that Web server. The TOE analyzes URL of an external user accessing the Web server and, if an attempt to access from unauthorized URL or wrong data is detected, performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. The URL information analyzed by URL check modules will also be used by other security modules. URL check also includes directory access check and subsequent protection. URL extension check If the URL of an external user accessing the Web server includes a file extension not registered, the TOE performs security behaviors (i.e. LOG, Drop, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Extension can be registered on the protected Web server either manually or automatically through heuristics. 7.3.1.3. Service contents protection (SW_DP_AP_CONTENTS) Response traffic from the Web server may contain various kinds of vulnerable information. The TOE applies SECUI NXG W Information flow Web contents protection policy defined in FDP_IFC.1(3) and FDP_IFF.1(3) to prevent the information from being leaked. All response traffic that is sent to a Web client from the Web server will be transmitted through the TOE. The TOE will first analyze the traffic and perform Web contents protection as specified by the policy. Personal credit information like an SSN and credit card number included in the page serviced by the web server will be protected by the following security functions: Social security number(SSN) protection If the web server transfers data including an SSN at an external user’s request or the requested contents include an SSN, performs security behaviors (i.e. LOG, DROP, or modifying data) as set by an administrator. Attached files will also be checked for an SSN. Credit card number protection If the Web server transfers data including a credit card number at an external user’s request or the requested contents include a credit card number, performs security behaviors (i.e. LOG, DROP, or modifying data) as set by an administrator. Attached files will also be checked for a credit card number. Response from the Web server may include information about the Web server itself such as Security Target 7.3. User Data Protection (SW_DP) 86 Confidential types of server and application, different error values, or footnote, which will be protected by the following security functions: Error page handling When a response message from the web server is an HTTP error page, performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator to prevent the server information from being leaked. Comment removal When an external user uses web service provided by the web server, deletes a footnote among the sources of the web page to protect information about the web server and web page from being leaked and performs security behaviors (i.e. LOG or emailing an administrator) as set by an administrator. Forbidden word check If an external user accessing the Web server uploads a forbidden word or attempts to access the contents including a forbidden word, performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator or replaces the word by another permitted word. The Web server may have risk of having corruption of contents of the Web page by a malicious user through a channel not protected by the TOE. In this case, the following security function can prevent leakage of the corrupted page in accordance with FDP_SDI.2. Checksum protection The TOE performs a checksum operation on the contents(Web page) of the protected Web server to detect corruption. It is possible through heuristics of the contents by which the TOE remembers checksum values. Upon detection of corruption, it performs security behaviors (i.e. LOG, DROP, page redirection, sending a warning page, or emailing an administrator) as set by an administrator. Web server contents can be an initial homepage, image, file, etc. Security attributes of the contents can be set up as MIME type. Integrity check will only be performed on the objects possessing the security attributes in question. Server information cloaking The TOE replaces server information provided by the server header of a protected Web server by information processed in the header in order to prevent the server information from being exposed. Web traffic that passed through SECUI NXG W Information flow Web contents protection policy will be transmitted to a Web client that requested the Web page. 7.3.2. Packet filtering (SW_DP_PF) The TOE applies SECUI NXG W Information flow packet filtering policy according to FDP_IFC.1(4) and FDP_IFF.1(4) to provide a packet filtering function for network packets being sent to the Web server or a Web client. SECUI NXG W Information flow packet filtering policy set by an authorized administrator will be applied to packets sent to the TOE from outside to decide whether to allow or deny access to the TOE or a protected Web server by the TOE. Rules of packet filtering will be decided based on the source IP, source netmask, destination IP, destination netmask, destination port number, protocol, priority, and packet direction. 7. TOE summary specification Security Target Confidential 87 7.4. Security Management (SW_MAN) 7.4.1. Management of security functions (SW_MAN_FUN) According to FMT_MOF.1 and FMT_SMF.1, an administrator can disable, enable, and modify the behavior of the security functions through the CLI/GUI administrator console. It is ensured that the ability to perform these functions are restricted to an authorized administrator as in the Table 7-9 List of management of security functions. Table 7-11 List of Management of Security Functions Function Ability Role Operate the function of system monitoring Disable, enable Super administrator Operate the function for each TOE information flow control rule Disable, enable Super administrator, server administrator Operate the function of automatic heuristics in Redirect server Disable, enable Super administrator, server administrator Operate the function of each Web server Disable, enable Super administrator, server administrator Initialize the system configuration Enable Super administrator Restart the services(TSF process) Enable Super administrator Restart the system Enable Super administrator Backup and recover the TOE configuration data Enable Super administrator Execute the CLI commands Enable Super administrator, server administrator, user Check the integrity Enable Super administrator Print out reports Enable Super administrator, server administrator, user Define the operation mode of the TOE Modify behavior Super administrator Trail audit records Modify behavior Super administrator Set up the operation mode of the TOE automatic heuristics Modify behavior Super administrator, server administrator Apply the security policy of a cookie domain Modify behavior Super administrator, server administrator Apply the security policy of a cookie Modify behavior Super administrator, server administrator Set up the operation mode of heuristics of a Web server URL Modify behavior Super administrator, server administrator Apply the security policy of a Web server URL Modify behavior Super administrator, server administrator Apply the monitoring traffic policy in automatic heuristics Modify behavior Super administrator, server administrator Apply the non-monitoring traffic policy Modify behavior Super administrator, server administrator Set up the operation mode of heuristics of each Web server Modify behavior Super administrator, server administrator Apply the heuristics policy of each Web server Modify behavior Super administrator, server administrator Whether to permit an abnormal Escape word Modify behavior Super administrator, server administrator Security Target 7.4. Security Management (SW_MAN) 88 Confidential 7.4.2. Management of security attributes (SW_MAN_ATTR) An authorized administrator can query, generate, modify, delete, or learn by heuristics the security attributes of information flow control policies defined in FMT_MSA.1(1), FMT_MSA.1(2), FMT_MSA.1(3), FMT_MSA.1(4), and FMT_MSA.1(5). Table 7-12 Management of Security Attributes Information Flow Control Policy Security attribute Operation Super administrator, server administrator Super administrator SECUI NXG W Information flow denial policy MIME Query, generate, modify, delete, learn - Method Query, generate, modify, delete, learn - Header Query, generate, modify, delete, learn - SECUI NXG W Information flow permission policy Web server address Query, generate, modify, delete, learn - Cookie Query, generate, modify, delete, learn - Cookie domain Query, generate, modify, delete, learn - URL Query, generate, modify, delete, learn - HTTP Request Message Query, generate, modify, delete, learn - SECUI NXG W Information flow Web contents protection policy MIME Query, generate, modify, delete, learn - HTTP Response Message Query, generate, modify, delete, learn - SECUI NXG W Information flow packet filtering policy Source IP address - Query, generate, modify, delete Source netmask - Query, generate, modify, delete Destination IP address - Query, generate, modify, delete Destination port number - Query, generate, modify, delete Priority - Query, generate, modify, delete Packet direction - Query, modify Protocol - Query, modify According to FMT_MSA.3 and FMT_SMF.1, the TOE provides a restrictive default value used in SECUI NXG W Information flow permission policy, SECUI NXG W Information flow denial policy, and SECUI NXG W Information Web contents protection policy; receives a safe value of corresponding security attributes; and sends an alarm in case of an insecure value. The TSF provides a default value for a security attribute that it intends to modify or establish. Invalid security attributes cannot be input. The TOE can decide an alternative initial value to override the default value provided by the TOE when an authorized administrator generates an information flow control policy. 7. TOE summary specification Security Target Confidential 89 7.4.3. Management of TSF data (SW_MAN_DATA) 7.4.3.1. Management of TSF data (SW_MAN_DATA_ADMIN) An authorized administrator of the TOE can manage the TSF data stated below as specified in FMT_MTD.1(1), FMT_MTD.1(2), FMT_MTD.1(3), FMT_MTD.1(4), FMT_MTD.1(5), and FMT_SMF.1 through the GUI administrator console. Table 7-13 Management of TSF Data TSF data Operation Super administrator Server administrator User System status information Query Query Query Version and information of the TOE Query, modify - - Time information of the TOE Query, modify Query Query Time limit of an administrator session Query, modify Query Query Permitted number of login sessions Query, modify Query Query Number of concurrent sessions of super administrators Query, modify Query Query Administrator interface information Query, modify Query Query Information of the TOE network interface Query, modify Query Query Information of the TOE network Zone Query, modify Query Query Information of the TOE bridge interface Query, modify Query Query LLCF setup information Query, modify Query Query Address of each operation mode of the TOE network Query, modify Query Query Interface information of each operation mode of the TOE network Query, modify Query Query Routing configuration information Query, modify, delete, generate Query Query Address of other servers (DNS, NTP) Query, modify Query - Query - Configuration information of a host name Query, modify, delete, generate Query Query Warning page Query, modify, delete, generate Query Query Configuration information of a policy bypass for the purpose of administration Query, modify, delete, generate Query Query Configuration information of a policy bypass group for the purpose of administration Query, modify - - Configuration information of a policy bypass administrator email for the purpose of administration Query, modify - - Security Target 7.4. Security Management (SW_MAN) 90 Confidential TSF data Operation Super administrator Server administrator User Configuration information of an administrator mail Query, modify, delete, generate Query Query Information about enabling audit functions and criteria of audit records trail Query, modify Query Query Information of real-time traffic status Query Query Query Statistics of the TOP10 among blocked Web intrusion events Query Query Query Real-time monitoring information of blocked Web intrusion events Query Query Query Log search information of an audit review items for each type of audit event Query Query Query Statistics of an audit for a specific period of time Query Query Query Site (automatic) heuristics setup information Query, delete, generate Query, delete, generate Query URL property information of each Web server Query, modify Query, modify - Remote log server setup information Query, modify Query Query HA setup information Query, modify Query, modify Query Configuration information of each Web server URL host Query, modify, delete, generate Query, modify, delete, generate - IP address and Port configuration information of each Web server Query, modify, delete, generate Query, modify, delete, generate - Setup information of each Web server heuristics: MIME list, Method list, and Header list Query, delete, generate Query, delete, generate - Configuration information of an SSL certificate Query, modify, delete, generate Query, modify, delete, generate - Information about identification and authentication of an administrator Query, modify, delete, generate Query, modify, delete, generate Query, modify, delete, generate Configuration information of SECUI NXG W Information flow denial policy Change_default, query, modify, delete, generate, learn Change_default, query, modify, delete, generate, learn - Configuration information of SECUI NXG W Information flow permission policy Change_default, query, modify, delete, generate, learn Change_default, query, modify, delete, generate, learn - Configuration information of SECUI NXG W Information flow Web contents protection policy Change_default, query, modify, delete, generate, learn Change_default, query, modify, delete, generate, learn - Configuration information of SECUI NXG W Information flow packet filtering policy Query, modify, delete, generate - - 7. TOE summary specification Security Target Confidential 91 * Note that SECUI NXG 4000W-4C and SECUI NXG 2000W-4C do not allow HA configuration. 7.4.3.2. Management of limits on TSF data (SW_MAN_DATA_LIMIT) The TOE takes actions below when defined limits on TSF data are reached or exceeded in accordance with FMT_MTD.2 and FMT_SMF.1. Table 7-14 Management of Limits on TSF Data and Actions TSF Data Limit Action Time limit of an administrator session 1~600(minutes) Terminate GUI and re-authenticate Permitted number of login sessions 1~256 Block access to GUI Cookie session timeout 60~86400(seconds) Terminate the cookie session HTTP header size 1024 ~ 16384 bytes Deny requested Web traffic, email an administrator, make an audit record Display a warning message, email an administrator, make an audit record Redirect to a URL designated by an administrator, email an administrator, make an audit record Number of hidden SSN figures 1~13 Replace the figure with ‘*’ Number of hidden credit card number figures 1~16 Replace the figure with ‘*’ Number of GET query 1~9999 Deny requested query, email an administrator, make an audit record Display a warning message, email an administrator, make an audit record Redirect to a URL designated by an administrator, email an administrator, make an audit record Number of POST query 1~9999 Deny requested query, email an administrator, make an audit record Display a warning message, email an administrator, make an audit record Redirect to a URL designated by an administrator, email an administrator, make an audit record 7.4.4. Security management roles (SW_MAN_ROLE) The TOE maintains authorized administrator roles as in the Table 7-13 in accordance with FMT_SMR.1. An administrator shall be identified and authenticated to interact with the TOE directly through the GUI/CLI administrator console; which will only be possible after that administrator’s identifier is registered. Super administrator has authorities of all management functions provided by the TOE. Server administrator has authorities for management functions except for the following list. User has a read only authority. [security management functions] - Management of security functions: System monitoring, system configuration initialization, backup and recovery of the TOE configuration data, integrity check, TOE network operation mode, method of audit trail, etc. Security Target 7.5. Protection of the TSF (SW_PT) 92 Confidential - Management of TSF data: Version and time information of the TOE, time limit of an administrator session, permitted number of login sessions, administrator interface information, information of the TOE network interface configuration, information of the TOE network interface, address of each operation mode of the TOE network, interface information of each operation mode of the TOE network, address of DNS/NTP server, information about enabling audit functions, configuration information of an administrator email, warning page, configuration information of a policy bypass for the purpose of administration, information about identification and authentication of an administrator, configuration information of a host name, routing configuration information, etc. When an administrator is registered, the identifier (Admin ID), password, authority, and group information of that administrator will be stored in the TOE administrator information list file. Therefore, an administrator ID can always be associated to the corresponding password and authority; which is the way to maintain authorized administrator roles. Table 7-15 Authorized Administrator Roles Authority Role Super Admin Perform all security management functions of the TSF Server Admin Perform security policies of a Web server that belongs to the server admin group USER Review the records of TSF security audit 7.5. Protection of the TSF (SW_PT) 7.5.1. TSF data integrity check and action (SW_PT_CHK) This function ensures the integrity of files when an administrator stores, deletes, or modifies TSF data in the TOE listed below through the GUI administrator console according to FPT_TST. 1. Integrity check will be performed during initial start-up or at the request of an administrator. 9 TSF executable file 9 Identification and authentication data 9 TSF configuration file Whenever the TSF data is changed, the system will calculate Hash value using SHA algorithm and store it in the TOE, which will be checked by Hash value check program. Hash value check program calculates the Hash value of the TSF executable file, configuration file, and authentication data currently stored in the system and compares it with that stored in the TOE to ensure integrity of the TSF data. If an attacker tries to change the object of integrity check by circumventing, not through the CLI/GUI administrator console, the Hash value of the TSF data and that stored in the TOE would differ from each other, which will be detected as an integrity error. Then the integrity check result will be recorded in an audit record and the data will be recovered to the state before the error. 7.5.2. External entity testing SW_PT_CHK) The TSF runs a test of external entities according to FPT_TEE.1 during initial start-up, normal operation of the TOE, and at the re-start of the TOE by an authorized administrator to show the correct operation of the external entities. 7. TOE summary specification Security Target Confidential 93 9 Disk state check 9 Memory usage 9 CPU usage 9 Each network interface operation check Usage of disk, memory, and CPU will be checked periodically and the result will be sent to an administrator in real-time. Operation and status of network interface will also be checked. 7.5.3. Maintenance of secure state and session management (SW_PT_AVAILABILITY) The TOE monitors the operation of processes running in the system in accordance with FPT_FLS.1 and FRU_FLT.1 to ensure continuous services of security functions established by an administrator without interference due to an error. In case that a process is not operating as it is intended to or operating irregularly, it restarts all processes related to security functions so security functions can be provided normally. Super administrator can define limited time of an administrator session(1~600 minutes). The session will be terminated after the defined time of authorized administrator inactivity as specified in FTA_SSL.3. Once a session is terminated, re-authentication is required to unlock the session. All accesses for an administrator authentication will be mediated by SSL communication, which is not included in the TOE. Cryptographic key and an integrity monitoring key will be generated randomly each time identification and authentication occur through SSL communication in order to prevent reuse of authentication data. 7.5.4. HA function (SW_PT_HA) The TOE provides HA(High Availability) function that enables kernels of the TOE to synchronize each others’ session information and check operational status and roles. When an HA warning is issued, it will email a specified administrator and makes an audit record. To prevent the TSF from operating poorly due to distributed traffics, it synchronizes policies with the monitored data and sends irrelevant packets to another system. An administrator can define the roles of Master and Backup Master when installing more than two TOE systems as follows: Master : - Checks if the systems on an HA mode are operating normally and makes a list of those systems to transfer to Slaves. - Manages a Virtual IP, which Master can change upon detection of an error in other systems so that traffics will be sent to currently operating systems. * Backup Master : - Functions as Backup member during normal operation; in case of an error in the Master system, it operates as Master temporarily. - When the Master can function normally, Backup Master will detect it and hand over the authorities back to the Master. The TOE also provides Active-Active mode where it distributes load through traffic control during normal operation and, if an error is detected in some systems, sends traffics only to the Security Target 7.5. Protection of the TSF (SW_PT) 94 Confidential currently operating systems, which will ensure high availability. It intends to minimize down time of Web services to maximize availability. Clustering configuration is for increasing the capacity of concurrent processing. In Active-Active mode, as opposed to Active-Standby mode, the Backup Master also functions as the Master, which distributes load of Web traffics, consequently improving availability even more. 8. Annex Security Target Confidential 95 8. Annex 8.1. Glossary and Abbreviation Administrator console A console to manage the TOE; GUI administrator console allows access through a virtual Java machine on the Internet explorer; CLI administrator console allows direct access to the TOE through a serial port of SECUI NXG web Application Firewall V1.0.1. Assets Entities that the owner of the TOE presumably places value upon. Assignment The specification of an identified parameter in a component (of the CC) or requirement. Attack Potential A measure of the effort to be expended in attacking a TOE, expressed in terms of an attacker's expertise, resources and motivation. Audit Trail Collection of disk records on which log and action of a user who accessed the system are recorded. Augmentation The addition of one or more requirement(s) to a package. Authentication Data Information used to verify the claimed identity of a user. Authority A permitted scope to perform security functions for each authorized administrator role. Authorized administrator is categorized into a super administrator, server administrator, and user. Authorities of each are as follows: y Super Admin: Can read/write/enforce all security management functions of the TOE. y Server Admin: Can read/write/enforce all security management functions except “restart service/system.” y User: read/write his ID information only; Can read any other security management functions. Authorized administrator An administrator that securely operates and manages the web application firewall in accordance with the TOE security policies. Authorized user A user who may, in accordance with the SFRs, perform an operation. Base64 encoding check Checks if a query uses base64 encoding method. Bridge mode(Transparent) One of modes of operation of the TOE where it is configured in an in-line type like a firewall. Checksum protection Checks the length or hash value of a web page that the protected web server sends as a Security Target 8.1. Glossary and Abbreviation 96 Confidential respond to a web client and protects modified contents from being leaked. Class A grouping of CC families that share a common focus. Command injection protection Checks if a forbidden system command is being used. Comment removal Checks if the contents provided by the protected Web server includes a comment; if they do, deletes the comment before transferring them to a Web client. Common Criteria for Information Technology Security Evaluation (CC: Common Criteria) The common criteria(CC) is meant to be used as the basis for evaluation of security properties of IT products and systems. It comprises existing criteria from different countries to develop criteria that can be accepted and applied everywhere with a common language and understanding. The CC V3.1r2 was translated into Korean and announced by the Minister of Public Administration and Security by notification no.2009-52. Component The smallest selectable set of elements on which requirements may be based. Connectivity The property of the TOE which allows interaction with IT entities external to the TOE. This includes exchange of data by wire or by wireless means, over any distance in any environment or configuration. Contents Program or information provided by the Internet or PC communication. web contents means web-related data provided by web services. Cookie Recorded information of access to the Internet web site, which mediates between a user and the web site. Cookie corruption check Checks the cookie made by the web server; performs cookie encryption, cookie forge/corruption protection, and domain cookie management. Cookie Poisoning A type of attack where an attacker masquerades as somebody else by manipulating the information of a cookie to access a web site. Cross Site Scripting An attack where an attacker uploads a client side script to a web server to enforce a malicious code on someone else’s browser. Cross-site scripting (XSS) protection Checks whether the query or cookie data sent to the web server includes an enforceable script or HTML tag. Cryptographic communication Communication encoded in a section by HTTPS or other methods. Dependency A relationship between components such that if a requirement based on the depending component is included in a PP, ST or package, a requirement based on the component that is 8. Annex Security Target Confidential 97 depended upon must normally also be included in the PP, ST or package. Element An indivisible statement of security need. Error Message Handling Server script error messages the web server displays such as JSP, ASP, and PHP, and a DB error message may give an attacker information that might threaten the security of the web server. Error message handling stops the messages from being transferred to a user from the web server. Evaluation Assessment of a PP, an ST or a TOE, against defined criteria. Evaluation assurance level (EAL) An assurance package, consisting of assurance components drawn from CC Part 3, representing a point on the CC predefined assurance scale. Evaluation authority A body that implements the CC for a specific community by means of an evaluation scheme and thereby sets the standards and monitors the quality of evaluations conducted by bodies within that community. Evaluation scheme The administrative and regulatory framework under which the CC is applied by an evaluation authority within a specific community. Extension The addition to an ST or PP of functional requirements not contained in Part 2 and/or assurance requirements not contained in Part 3 of the CC. External IT entity Any IT product or system, untrusted or trusted, outside of the TOE that interacts with the TOE. External user A session user that passes through the TOE without authentication to use services of the web server. Family A grouping of components that share a similar goal but may differ in emphasis or rigor. File-upload attack An attack where a user uploads to the web server .exe, .jsp, and .php files applicable on it and enforces malicious commands. Forbidden work check Checks if the contents from the web server or query value delivered to the web server include a forbidden word and, if they do, protects the contents from being leaked. Header buffer overflow check Specifies the maximum size of an HTTP header to prevent buffer overflow. Header method check Checks if the header method of each URL is allowed. Hidden field A hidden field in an HTML is used, though not being seen on a web browser, to transmit data. Security Target 8.1. Glossary and Abbreviation 98 Confidential Hidden field manipulation protection Checks if each URL includes a hidden field. HTML parsing Displaying an HTML document on a screen in a user-friendly format through a web browser program. HTTP 1.1 standard HTTP (HyperText Transfer Protocol) is a protocol that enables information transfer on WWW. Compared to HTTP 1.0, HTTP 1.1 standard has an enhanced rate, more methods added, and uses Host request-header. HTTP communication Communication using HTTP. HTTP header buffer overflow attack An attack where an attacker causes internal buffer to overflow while an executable code is operating on a web server in order to enforce malicious commands. HTTPS communication Using SSL as a subordinate layer of HTTP, encodes and decodes pages requested by a user and returned by a web server. Human User Any person who interacts with the TOE. Identifier A name with which one can uniquely identify and differentiate an object. In this ST, it is an administrator ID, which is an identification name of an authorized administrator accessing the TOE. Identity A representation (e.g. a string) uniquely identifying an authorized user, which can either be the full or abbreviated name of that user or a pseudonym. Internal communication channel A communication channel between parts of the TOE. Internal TOE transfer Communicating data between separated parts of the TOE. Inter-TSF transfer Communicating data between the TOE and the security functionality of other trusted IT products. Invalid HTTP Request or response that is against the HTTP standards. Iteration The use of the same component to express two or more distinct requirements. (Learning by) heuristics Produces a web tree database about the protected web server with the purpose of generating Positive security rule. Object A passive entity in the TOE, that contains or receives information, and upon which subjects 8. Annex Security Target Confidential 99 perform operations. Organizational security policy (OSP) A set of security rules, procedures, or guidelines imposed (or presumed to be imposed) now and/or in the future by an actual or hypothetical organization in the operational environment. Package A named set of either functional or assurance requirements (e.g. EAL 3). Packet A block of data used in data transfer on the Internet. Unlike traditional transfer where data is transmitted consecutively between two points, packet transfer divides data into a certain size and sends a packet one by one. Each packet contains not only a certain size of data but also information such as its addressee, address, or control code. Password An input string required for a login to a specific system to confirm the identity of a user. Password check Checks whether a password is vulnerable in terms of its combination and length. Personal credit information Information about a living individual such as a name and SSN, combination of which can identify an individual. As far as the TOE is concerned, personal information means an SSN and credit card number that can be used illegally by a malicious attacker. Personal credit information leak protection Protects personal credit information like SSN or credit card in web service contents. Positive Rule A web application firewall security policy that denies all accesses except those allowed. Product A package of IT software, firmware, and hardware that is designed to be used or included by a various types of system so that it can provide functions. Protection Profile (PP) An implementation-independent statement of security needs for a TOE type. Query language and value check Checks query of Header and Body sent by GET or POST method. Refinement The addition of details to a component. *RMI XLRTM Processor RMI XLRTM Processor is a general-purpose MIPS64® process that supports a safe line speed, multi platforms, and software-based application. It provides XLR-enhanced simplicity and is combined with a strong and innovative multi-processing and multi-thread-based architecture. XLR Processor based on a programmable SuperSOC™ solution does not require micro-coding or scripting usable only for the XLR itself. In addition, its industry standard media interface provides a variety of connectivity options to intensify compatibility. Security Target 8.1. Glossary and Abbreviation 100 Confidential Figure 8-1 RMI XLRTM Processor Family Figure 8-1 shows the types and specifications of XLR Processor Family. Table 8-1 summarizes main features of XLR Processor Family. Table 8-1 Main features of XLR Processor Family Next Generation XLR Cores • A enhanced XLR processor of a 64-bit MIPS64 type • Supports more than 32 threads (virtual CPU) • More than 8 cores: Supports 4 way multi thread • Supports 1.5 GHz Expansible network interface • Provides 2 SPI-4.2 interfaces (16 port) *§ • Provides 2 10G Ethernets (XGMII) *§ • Provides 4 10/100/1000 Ethernets • Provides a networking hardware acceleration function for each enhanced interface • Provides PCI-X-64/32 bit/133 MHz (PCI 2.2) Master or Target • Provides HyperTransport 8 bit, 3.2 GB/s PIC Cache subsystem • Provides a completely consistent multi-level memory subsystem • Provides each core with system on-chip level 1 split cache • Provides 32 KB ECC L1 data and 32 KB parity L1 command • Provides ECC L2 cache that contains more than 2 MB • 8 ways of combination in all caches Integrated system interfaces • PCMCIA interface • Flash memory interface • Provides dual I2C interface • Provides dual 16550 UART interface • Provides 32 bit GPIO interface • Provides IEEE 1149.1 EJTAG and memory BIST functionality High-speed dispersed inter-connection • Supports connection between all cores, caches, and processing agents • Implements inter-connection providing inter- connectivity and expansibility for high performance by system on-chip; Supports Non-blocking • Supports a high-speed messaging network for an measurable communication between main processing and I/O components High performance configurable memory controllers • DDR1/DDR2/RLD2 DRAM that support ECC (400 MHz) • 4 x 36 or 2 x 72 mixed memory that uses perx72 DRAM • QDR2 or DDR2 SRAM that supports ECC (400 MHz) § •Supports TCAM/NSE / NPF-LA1 interface § • 4-channel DMA Networking hardware acceleration • Provides a packet dispersion engine for processing line bitrates • Flexible packet tagging and packet dispersion management • Verify and generate TCP checksum Power management • An on-chip heat sensor • Supports software-programming clock throttling Strong points of a security acceleration engine • Provides more than 10 Gbps for bulk encoding/decoding • Provides more than 4 high-performance crypto cores • Supports DES / 3DES, ARC4, AES (128, 192, 256) • Supports MD5, SHA-1, SHA-256 (in all HMAC) • Supports RSA/ DH for SSL / IPSec • Random number generator General-purpose programming • Allows virtualization of a domain that is not mapped to a core divided as a virtual MIPS mode • Supports 3 fine and coarse drained scheduling mode / CPU • Supports parallel·pipe line & hybrid processing mode • Supports debugging performance monitoring in the system on-board *§: Shared interface that only supports XLR732 / XLR716 8. Annex Security Target Confidential 101 To summarize main features of XLR Processor Family shown in the Table 8-1, it is a cost- effective single-chip solution implemented with expansibility, multi service system, and the next generation Key building block, which can be provided for a variety of operational environments of users. Role A predefined set of rules establishing the allowed interactions between a user and the TOE. Router mode Router mode is operated in a proxy mode. Proxy was originally used in a firewall for Internet protection, but now for the access to a Proxy server on a Web browser. When a web browser specifies a Proxy, URL required by a web client will be connected to the Proxy server, not a server indicated by the URL. A Proxy server will send the request to the server indicated by the URL, then receive a response instead of the client and deliver it to the client. Secret Information that must be known only to an authorized administrator and/or the TOE security functionality (TSF) in order to enforce a specific Security function policy (SFP). Security attribute A property of subjects, users (including external IT products), objects, information, sessions and/or resources that is used in defining the SFRs and whose values are used in enforcing the SFRs. Security function policy (SFP) A set of rules describing specific security behavior enforced by the TSF and expressible as a set of SFRs. Security objective A statement of intent to counter identified threats and/or satisfy identified organization security policies and/or assumptions. Security Target (ST) An implementation-dependent statement of security needs for a specific identified TOE. Selection The specification of one or more items from a list in a component. SQL(Structured Query Language) A database sublanguage used to operate and manage a relational database. SQL Injection An attack to manipulate an SQL and send it to a web server in order to manipulate the DB of the web server. SQL injection protection Blocks an attack where a user forges query and cookie value sent to the web server so they have an SQL syntax error and enforces SQL command randomly. Stream Socket information used by an input socket and output socket that can be sent and received on a network. Subject An active entity in the TOE that performs operations on objects. Security Target 8.1. Glossary and Abbreviation 102 Confidential System IT equipment with a specific purpose and operational environment. Target of evaluation (TOE) A set of software, firmware and/or hardware possibly accompanied by guidance. Threat agent An unauthorized user or external IT entity that causes a threat such as illegal access, modification, and deletion to an asset. TOE resource Anything useable or consumable in the TOE. TOE security functionality (TSF) A set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the SFRs. Traffic The amount of data transmitted through a network or of transaction and message. Web traffic refers to the data or message that is used in the section of web service. Transfers outside of the TOE TSF mediated communication of data to entities not under control of the TSF. Transparent router mode One of modes of operation of the TOE where it operates as a Web proxy. Without modification of DNS configuration, HTTP(S) communication between a Web server and Web client will be through the TOE. Trusted channel A means by which a TSF and a remote trusted IT product can communicate with necessary confidence. Trusted path A means by which a user and a TSF can communicate with necessary confidence. TSF Data Data created by and for the TOE, which might affect the operation of the TOE. TSF Interface (TSFI) A means by which external entities (or subjects in the TOE but outside of the TSF) send data to the TSF, receive data from the TSF and invoke services from the TSF. Unicode Directory Traversal An attack using Unicode to access a directory file that is not allowed by a web server. URI(Uniform Resource Identifier) An identification system of united information resources with the Internet services provided. The most common type of URI is URL, an web page address. URL(Uniform Resource Locator) A logical address that shows resources such as a file and news group on the Internet. When HTTP is used, resources may be an HTML page, image file, programs like CGI or Java applet, and files supported by HTTP. URL check Checks a URL that is accessing the web server; performs URL analysis, heuristics, access 8. Annex Security Target Confidential 103 control, and directory access control. URL extension check Checks URL extension and determines whether to allow or block. User Any entity outside the TOE that interacts with the TOE. It can be a human user or external IT entity. User agent A client application used by a specific network protocol. User agent HTTP refers to a web browser. User data Data created by and for the user, which does not affect the operation of the TSF. Web application Software developed since Web for the Internet/Intranet using various languages to search database or process general business logic. Script and service like Java script or JSP access database to search for the latest data and provide the result to a user through a browser or client program. Web browser A client program that uses HTTP to request for data on the Internet web server. Web client A user that receives Web services from a Web server. Web server A server computer that provides services on web. The TOE provides Apache, Microsoft, sun, and Zeus. Web tree database Analyzes the structure of a Web server in terms of a directory, Web page, and parameters of URL and stores it in a DB. Positive security rule applies to the DB. Web zone Contrary concept to an Intranet; a domain protected by the TOE, where assets like a system that provides Web application are placed. Zero-Day Attack Personal information leakage increases due to an increase of computer worm virus that searches vulnerable PCs on the Internet that were hit by computer crimes. It usually takes 2 weeks before one takes actions after recognizing that a computer was exposed to a crime. Zero-day attack exploits those computers before patches are made in order to disclosure personal information. 8.2. Reference z Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model, Version 3.1 R1, Sep. 2006 z Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1 R2, Sep. 2007 Security Target 8.2. Reference 104 Confidential z Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1 R2, Sep. 2007 z Common Methodology for Information Technology Security Evaluation, Version 3.1 R2, Sep. 2007